Tokyo Autumn 2019

Topics

SEC401.1 Network Security Essentials - Module Outline

• Defensible Network Architecture
• Virtualization and Cloud Security
• Lab Virtual Machine Setup
• Network Device Security
• Networking and Protocols
• Lab - tcpdump
• Securing Wireless Networks
• Lab - Aircrack-ng
• Securing Web Communications
• Lab -Wireshark

Module 1: Defensible Network Architecture

Involves the fundamentals of network architecture, including network architecture, attacks against network devices, network topologies and network design.

• Network Architecture: Understand and identify the goals of building a defensible network architecture
• Understanding the Architecture of the System
• Conceptual Design
• Logical Design
• Physical Design
• Understand Communication Flow
• Know Where Your Valuable Data is
• Attacks Against Network Device: Understand and identify the common types of attacks against networks
• Networks Under Attack
• Threat Enumeration
• Threat Agents
• Attacks Against Routers
• Attacks against switches
• Network Topologies: Understand and know the different types of topologies and the inherent security risks they create
• Physical and Logical Topologies
• Ethernet
• Network Design
• Approaches to Network Design
• Network Design: Understanding and knowing how to design a secure network that incorporates both prevention and detection
• Approaches to Network Design
• Network Architecture Design
• Network Design Objectives
• Network Sections

Module 2: Virtualization and Cloud Security

Involves understanding and learning what virtualization is and how it works, the most common form of virtualization and how virtual machines interact with multiple operating systems.

• Virtualization
• Setting Up Virtualization
• Virtualization Security
• Virtualized Architectures
• Cloud Overview
• Cloud Security

• Lab 1.1: Virtual Machine Setup: The purpose of this lab is to learn how to set up Windows and Linux virtual machines in a lab-based environment and understanding the fundamentals of the operating systems and how to run basic commands. Completing the lab, you will learn:

• Copy and extract the SANS-supplied Windows 10 virtual machine and the Kali Linux virtual machine to your hard drive
• Start the virtual machines with VMware Workstation, Player, or Fusion if on a Mac
• Configure your Windows 10 licensing
• Verify network connectivity between the two virtual machines

Module 3: Network and Device Security

Involves understanding the different devices that are deployed on a network and how they function.

• Network Devices
• Routing
• How Routing Works
• Device Security

Module 4: Networking and Protocols

Involves understanding the properties and functions of network protocols and the network protocol stacks

• Network Protocols
• Layer 3
• Internet Protocol (IP)
• Internet Control Message Protocol (ICMP)
• Layer 4
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• tcpdump
• Lab1.2: tcpdump: The purpose of this lab is to learn how to use Kali and run a sniffer and understand how to decode packets. You will learn,
• Introduction to tcpdump and basic commands
• Running tcpdump and sniffing network traffic
• Analyzing hex and ASCII data
• Connecting to a non-listening TCP port

Module 5: Securing Wireless Networks

Involves the aspect of deploying and utilizing wireless networks. Student will understand wireless technologies.

• Wireless overview
• Bluetooth and ZigBee
• 802.11
• Wireless security
• Lab1.3: Aircrack-ng: In the lab, you will use the aircrack-ng tool suite to assess the security of both the Wired Equivalent Privacy (WEP) security algorithm and Wi-Fi Protected Access (WPA) protocol associated with 802.11 wireless network security. You will learn:
• Introduction to the aircrack-ng suite
• Cracking a WEP key
• Cracking a WPA2 passphrase

Module 6: Securing Web Communications

Involves understanding how web applications work. Learn best practices for creating secure web applications and how to identify and fix vulnerabilities in web applications.

• How Web Applications Work
• Basics of Secure Coding
• Web Application Vulnerabilities
• Lab 1.4: WireShark: In this lab, you will learn how to use Wireshark and understand how to analyze packets.
• Introduction to Wireshark and its GUI
• Basic capture of an FTP connection
• Analysis of a TFTP session

Topics

SEC401.2 Defense-In-Depth and Attacks -Module Outline

• Defense-in-Depth
• Access Control & Password Management
• Lab - John the Ripper
• Security Policies
• Lab - Cain & Abel
• Critical Controls
• Malicious Code and Exploit Mitigations
• Lab - Malicious Software
• Advanced Persistent Threat (APT)

Module 7: Defense-in-Depth

Involves understanding what defense in depth is and an overview of the key areas of security.

• Defense-in-Depth Overview
• Risk = Threats x Vulnerabilities
• CIA Triad
• Strategies for Defense in Depth
• Core Security Strategies

Module 8: Access Control & Password Management: Involves understanding understand the fundamental theory of access control

• Access control
• Data classification
• Managing access
• Separation of duties
• Password management
• Password management technologies
• How password assessment works
• Lab 2.1 - John the Ripper: In this lab students will perform a lab using John the Ripper, a widely-used password cracking tool, which was covered in the module. Completing the lab, you will learn:
• Introduction to John the Ripper and its various components
• Cracking passwords with John the Ripper

Module 9: Security Privacy

Involves the understanding on how to assess a policy by establishing a baseline framework to work within, and by establishing a mission statement that defines your policies.

• Security Policies
• Need for policies
• Policy Framework
• Enforcement
• Lab 2.2 - Cain & Abel: This lab is designed to help learn how to use a multi-purpose tool like Cain & Abel and understand the fundamentals of auditing the strength of passwords. In this lab, you will learn:
• Introduction to Cain & Abel and its GUI
• Extracting and cracking passwords from your Windows 10 SAM database
• Cracking a password from a Cisco Router

Module 10: Critical Security Controls

Involves understanding the purpose and background of the Critical Security Controls.

• Overview of the Critical Security Controls
• The Critical Security Controls
• Sample Critical Security Control

Module 11: Malicious Code and Exploit Mitigation

Involves understanding the details of the Mitnick-Shimomura attack, as well as what we can learn from this attack to appropriately protect our networks against these threats.

• Mitnick-Shimomura
• Defensive strategies
• Common types of attacks
• Lab 2.3 - Malicious Software: In this lab, you will learn how to defend against malicious software understand the operations of malicious software. You will also learn:
• Analyzing the non-trojaned program
• Analyzing the trojaned program and gaining privileged access
• Checking for a buffer overflow

Module 12: Advanced Persistent Threat (APT)

Involves learning the new threats that exist in cyberspace and effective ways for dealing with these threats. Students will also understand what an APT is and the basic strategies of how they work and operate.

• What are APTs and why are they so hard to manage?
• Defending Against an APT
• How can cyber remediation be approached?
• Offensive Operations

Topics

SEC401.3 Threat Management - Module Outline

• Vulnerability Scanning and Penetration Testing
• Lab - nmap
• Network Security Devices
• Lab - Snort
• Endpoint Security
• Lab -hping
• SIEM/log management
• Active Defense
• Lab - Command Injection

Module 13: Vulnerability Scanning and Penetration Testing

Involves understanding the concepts and relationships behind reconnaissance, resource protection, risks, threats and vulnerabilities.

• Vulnerability management overview
• Network scanning
• Penetration Testing

• Lab 3.1 - Nmap: The purpose of this lab is to identify open ports on a system and understand the operations of port-scanning software. Completing the lab, you will learn:
• Introduction to Nmap and its features
• Port scanning with Nmap
• OS and application version scanning
• Nmap Scripting Engine (NSE)

Module 14: Network Security Devices

Involves taking a look at the 3 main categories of network security devices: firewalls, NIDS and NIPS. Together they provide a complement of prevention and detection capabilities.

• Firewalls
• Overview
• Types of Firewalls
• Configuration and Deployment
• NIDS
• Types of NIDS
• Snort as an NIDS
• NIPS
• Methods of Deployment
• Lab 3.2: Snort: In this lab, you will learn how to run and configure Snort and understand how to utilize an IDS to detect attacks. Area's within the lab are:

• Introduction to Snort and its features
• Running Snort and triggering an alert
• Reviewing Snort logs and the matched signatures

Module 15: Endpoint Security

Involves understanding the overall importance and concepts of endpoint security. This module, we will examine some of the key components, strategies, and solutions for implementing endpoint security.

• Endpoint Security Overview
• Endpoint Security Solutions
• HIDS Overview
• HIPS Overview
• Lab 3.3 - hping 3: This lab teaches you how to craft packets and understand packet-creation software. Area's in the lab are:
• Introduction to hping 3 and its features
• Crafting packets with hping 3
• Spoofing IP addresses with hping 3

Module 16: SIEM/Log Management

Involves student being able to obtain a high-level understanding of what logging is and why it is important. The student will also know have a high-level understanding of what logging is and why it is important.

• Logging Overview
• Setting Up and Configuring Logging
• Logging Analysis Basics
• Key Logging Activity

Module 17: Active Defense

Involves explaining what active defense is and how it can be used. You will get an appreciation for new ways to approach security and how to make your defensive solutions more active.

• Defining Active Defense
• Active Defense Techniques
• Active Defense Tools
• Honeypots & Active Defense
• Lab 3.4 - Command Injection: In this lab, you will Learn how to perform command injection and understand how attacks work and operate. Completing the lab, you will understand:
• Normal operation
• Injecting a command to break out of a restriction

Topics

SEC401.4 Cryptography, Risk Management and Response - Module Outline

• Cryptography
• Lab - Stego
• Cryptography Algorithms and Deployment
• Applying Cryptography
• Lab - GPG
• Incident Handling and Response
• Lab - Hashing
• Contingency Planning - BCP/DRP
• IT Risk Management

Module 18: Cryptography

Involves students having a basic understanding of the fundamental concepts of cryptography

• Overview of Cryptology
• Plaintext, Ciphertext, and Key
• Types of Symmetric Encryption
• Symmetric Encryption
• Asymmetric Encryption
• Hash
• Lab 4.1 - Image Steganography: In this lab, you will understand the operations of data hiding program and learn how to utilize steganography programs. The topics will be:
• Learn how to utilize steganography programs

Module 19: Cryptography Algorithms and Deployment

Involves students having a high-level understanding of the mathematical concepts that contribute to modern cryptography

• Crypto Concepts
• Symmetric and asymmetric cryptosystems
• Crypto attacks

Module 20: Applying Cryptography

Involves having a high-level understanding of what VPNs are and how they operate. Students will also understand the functionality of the GPG cryptosystem and how they operate.

• Data in transit
• Virtual private networks (VPNs)
• Data at rest
• Data encryption
• Full disk encryption
• GNU Privacy Guard (GPG)
• Key management
• Public key infrastructure (PKI)
• Digital certificates
• Certificate authorities (CA)
• Lab 4.2 - GNU Privacy Guard (GPG): In this lab, you will learn how to utilize GPG and understand the operations of cryptography algorithms.
• Encryption
• Decryption
• Signing a message
• Verifying a signature

Module 21: Incident-Handling Foundations

Involves understanding the concepts of incident handling and the six-step incident-handling process. Students will also be able to identify areas of law that are important to incident handling and understand important practices in handling evidence

• Incident-handling fundamentals
• Six step processes for handling an incident
• Legal aspects of incident handling
• Lab 4.3 - Hashing: In this lab, you will learn how to utilize hashing programs and understand the operations of cryptography algorithms. Completing the lab, students will review:
• Introduction to hashing tools and file integrity validation
• Automating file integrity checks

Module 22: Contingency Planning - BCP/DRP

Involves understanding the critical aspect of contingency planning with a business continuity plan (BCP) and disaster recovery plan (DRP)

• Contingency Planning
• Business Continuity Planning (BCP)
• Disaster Recovery Planning (DRP)

Module 23: Risk Management

Involves understanding the terminology and basic approaches to cyber security risk management

• Risk management overview
• Best-practice approach to risk management
• Threat assessment, analysis, and report to management

Topics

SEC401.5 Windows Security - Module Outline

• Windows Security Infrastructure
• Lab - Process Hacker
• Service packs, hot fixes, and backups
• Windows access controls
• Lab - Microsoft Baseline Security Analyzer
• Enforcing security policy
• Lab - Secedit
• Securing Windows Network Services
• Automation, auditing, and forensics
• Lab - PowerShell Scripting

Module 24: The Windows Security Infrastructure

Involves the ability to identify the different types of Windows operating systems and the differences between them. Students will also be able to identify the different types of Windows operating systems and the differences between them.

• Three classes of operating system:
• Client
• Server
• Embedded
• Lab 5.1 - Process Hacker: This lab teaches how to utilize a tool like Process Hacker and understand the operations of Windows and how it works.
• Install and launch Process Hacker
• Examine the details of a process, such as its modules and memory regions
• Inject a DLL into a process and then aggressively terminate that process

Module 25: Service Packs, Hotfixes, and Backups:

Involves the understanding of how to manage Windows Service Packs and Hotfixes for a network of Windows hosts.

• Service packs
• E-mail security bulletins
• Patch installation
• Automatic updates
• Windows server update services
• Windows backup
• System restore
• Device driver rollback

Module 26: Windows Access Controls

Involves understanding how permissions are applied in the Windows NT File System, Shared Folders, Printers, Registry Keys, and Active Directory, and how Privileges are applied.

• NTFS Permissions
• Shared Folder Permissions
• Registry Key Permissions
• Active Directory Permissions
• Privileges
• BitLocker Drive Encryption
• Lab 5.2 - Microsoft Baseline Security Analyzer: Learn to utilize a tool like Microsoft Baseline Security Analyzer and operations of Windows and how to properly secure the operating system. Completing the lab, students will understand the following topics:

• Install the Microsoft Baseline Security Analyzer (MBSA)
• Scan the local computer for vulnerabilities
• Examine an MBSA vulnerability report
• Remediate an identified vulnerability using the NET.EXE utility
• Scan local system again to confirm remediation

Module 27: Enforcing Security Policy

Involves having a high-level understanding of the features of Group Policy and working with INF security templates

• Applying security templates
• Employing the Security Configuration and Analysis snap-in
• Understanding Local Group Policy Objects
• Understanding Domain Group Policy Objects
• Administrative Users
• AppLocker
• User Account Control
• Checking Recommended GPO settings, including
• Password Policy
• Account Lockout Policy
• Security Options
• Internet Explorer Security
• Miscellaneous Administrative Templates
• Other Settings
• Lab 5.3 - Secedit: In this lab, students will learn to utilize a tool like Secedit and understand the operations of security templates and how to analyze a system
• Open the PowerShell ISE desktop application
• Compare current state of system against an INF security template
• Apply the INF security template to the local computer to reconfigure it
• Re-examine current state to confirm changes made

Module 28: Securing Windows Network Services

Involves the understanding on how to take basic measures in securing Windows network services

• Best way to secure a service
• Packet filtering
• IPsec authentication and encryption
• Internet Information Server (IIS)
• Remote Desktop Services
• Windows Firewall

Module 29: Automation, Auditing, and Forensics

Involves Introduction to the techniques and technologies used to audit Windows hosts.

• Verifying Policy Compliance
• Vulnerability Scanning and Reporting
• Creating Baseline System Snapshots
• Gathering Ongoing Operational Data
• Employing Change Detection and Analysis
• Lab 5.4 - PowerShell Scripting: In this lab, students will learn to utilize PowerShell scripting and understand the operations of scripting and automation.
• Open the graphical PowerShell ISE editor (ISE = Integrated Scripting Environment)
• List and manipulate processes and services
• Interact with the file system, such as sorting and hashing files
• Export data to HTML and comma-delimited CSV text files
• Query the Windows Management Instrumentation (WMI) service
• Query a local or remote Windows Event Log messages

Topics

Sec401.6 Linux Security - Module Outline

• Linux Security: Structure, Permissions and Access
• Hardening and Securing Linux Services
• Monitoring and Attack Detection
• Security Utilities

Module 30: Linux Security: Structure, Permissions and Access

Involves the foundational items that are needed to understand how to configure and secure a Linux system. It also provides an overview of the operating system and mobile markets. To lay a foundation, it provides an overview of the different operating systems that are based on Linux.

• Operating System comparison
• Linux security
• Apple Mac OS security
• Mobile security
• Linux shells
• Linux kernel
• Permissions
• User accounts

Module 31: Hardening and Securing Linux Services

Involves methods, tips, and tricks for hardening and securing Linux services. The Golden Rule to always remember is: The best way to secure a service is to turn it off.

• Starting services at boot time
• Package control
• Kernel security
• Port control and port restriction

Module 32: Monitoring and Attack Detection

Involves, Configuring and monitoring logs, logging with syslog and alternatives, parsing and filtering logs with grep, sed, awk, and cut and monitoring and accounting with uditd.

• Log Aggregation and SIEM
• Log Files
• Log Parsing

Module 33: Security Utilities

Involves some security-enhancement utilities, capabilities, and patch-management applications.

• Using built-in commands and security features
• Configuring integrity checkers
• Integrating host-based firewalls and managing them to provide security
• Using hardening scripts
• Deploying package management strategies
• Understanding other tools for increasing security