SEC401: Security Essentials Bootcamp Style and SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling will be taught in Japanese using Japanese language course materials. All other courses will use English language course materials and be taught in English with simultaneous translation in Japanese.
Please plan to arrive early on Day 1 (9:00AM-Local Time) for lab preparation and set up. The additional time is needed as the labs require the installation of both a Linux and Windows Virtual Machine (VM) and extensive copying of files in order to run and complete the labs successfully. The Instructor will be available to assist students with lab prep and set up from 9:00AM-9:30AM. Class lecture will start at 9:30AM.
Great course for people starting into security essentials.
Excellent tips and links provided today - for more than I was anticipating and many that I plan to use.
Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Learn tips and tricks from the experts so that you can win the battle against the wide range of cyber adversaries that want to harm your environment.
Is SEC401: Security Essentials Bootcamp Style the right course for you?
STOP and ask yourself the following questions:
If you do not know the answers to these questions, then SEC401 will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.
You Will Learn:
Learn to build a security roadmap that can scale today and into the future.
SEC401: Security Essentials Bootcamp Style is focused on teaching you the essential information security skills and techniques you need to protect and secure your organization's critical information assets and business systems. Our course will show you how to prevent your organization's security problems from being headline news in the Wall Street Journal!
"Prevention is Ideal but Detection is a Must."
With the rise in advanced persistent threats, it is almost inevitable that organizations will be targeted. Whether the attacker is successful in penetrating an organization's network depends on the effectiveness of the organization's defense. Defending against attacks is an ongoing challenge, with new threats emerging all of the time, including the next generation of threats. Organizations need to understand what really works in cybersecurity. What has worked, and will always work, is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:
Security is all about making sure you focus on the right areas of defense. In SEC401 you will learn the language and underlying theory of computer and information security. You will gain the essential and effective security knowledge you will need if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills you can put into practice immediately upon returning to work; and (2) You will be taught by the best security instructors in the industry.
Test your security knowledge with our free SANS Security Essentials Assessment Test.
Notice:
This course prepares you for the GSEC certification that meets the requirement of the DoD 8570 IAT Level 2.
Course Content Overlap Notice:
Please note that some course material for SEC401 and MGT512 may overlap. We recommend SEC401 for those interested in a more technical course of study, and MGT512 for those primarily interested in a leadership-oriented but less technical learning experience.
A key way that attackers gain access to a company's resources is through a network connected to the Internet. A company wants to try to prevent as many attacks as possible, but in cases where it cannot prevent an attack, it must detect it in a timely manner. Therefore, an understanding and ability to create and identify the goals of building a defensible network architecture are critical. It is just as important to know and understand the architecture of the system, types of designs, communication flow and how to protect against attacks using devices such as routers and firewalls. These essentials, and more, will be covered during 401.1, in order to provide a firm foundation for the consecutive days of training.
By the end of the 401.1, you will understand Defensible Network Architecture, Virtualization and Cloud Security (Lab Virtual Machine Setup), Network Device Security, Networking and Protocols (Lab - tcpdump), Securing Wireless Networks (Lab - Aircrack-ng), Securing Web Communications (Lab -Wireshark). In any organization whether large or small all data is not created equal. Some data is routine and incidental while other information can be very sensitive, the loss of which could cause irreparable harm to an organization.
Understanding attacks, the vulnerability behind those attacks and how to prioritize the information and steps to secure the systems will be essential. Common attacks occur with web applications, authentication and other forms of communication. It is imperative to gain familiarity with protocols and techniques used to monitor, stop and even perform attacks against systems.
CPE/CMU Credits: 8
SEC401.1 Network Security Essentials - Module Outline
Module 1: Defensible Network Architecture
Involves the fundamentals of network architecture, including network architecture, attacks against network devices, network topologies and network design.
Module 2: Virtualization and Cloud Security
Involves understanding and learning what virtualization is and how it works, the most common form of virtualization and how virtual machines interact with multiple operating systems.
Module 3: Network and Device Security
Involves understanding the different devices that are deployed on a network and how they function.
Module 4: Networking and Protocols
Involves understanding the properties and functions of network protocols and the network protocol stacks
Module 5: Securing Wireless Networks
Involves the aspect of deploying and utilizing wireless networks. Student will understand wireless technologies.
Module 6: Securing Web Communications
Involves understanding how web applications work. Learn best practices for creating secure web applications and how to identify and fix vulnerabilities in web applications.
To secure an enterprise network, you must understand the general principles of network security. In 401.2, we look at threats to our systems and take a "big picture" look at how to defend against them. You will learn that protections need to be layered: a principle called defense-in-depth. We explain some principles that will serve you well in protecting your systems. You will also learn about key areas of network security.
The course starts with information assurance foundations. Students look at security threats, and how they have impacted confidentiality, integrity, and availability. The first half of the day also covers creating sound security policies and password management, including tools for password strength on both Unix and Windows platforms. The day draws to a close by looking at attack strategies and how the offense operates.
Students will understand to properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of an architecture. In security (and design), huge mistakes have been made because the security architect did not look at the system as a whole, but rather focused on a particular problem which weakened the overall analysis. It's always important to remember that analyzing the security of something as complex as a network is in itself a complex process.
CPE/CMU Credits: 8
SEC401.2 Defense-In-Depth and Attacks -Module Outline
Module 7: Defense-in-Depth
Involves understanding what defense in depth is and an overview of the key areas of security.
Module 8: Access Control & Password Management: Involves understanding understand the fundamental theory of access control
Module 9: Security Privacy
Involves the understanding on how to assess a policy by establishing a baseline framework to work within, and by establishing a mission statement that defines your policies.
Module 10: Critical Security Controls
Involves understanding the purpose and background of the Critical Security Controls.
Module 11: Malicious Code and Exploit Mitigation
Involves understanding the details of the Mitnick-Shimomura attack, as well as what we can learn from this attack to appropriately protect our networks against these threats.
Module 12: Advanced Persistent Threat (APT)
Involves learning the new threats that exist in cyberspace and effective ways for dealing with these threats. Students will also understand what an APT is and the basic strategies of how they work and operate.
Whether targeting a specific system or just searching the Internet for an easy target, an attacker uses an arsenal of tools to automate finding new systems; mapping out networks; and probing for specific, exploitable vulnerabilities. This phase of an attack is called reconnaissance, and it can be launched by an attacker any amount of time before exploiting vulnerabilities and gaining access to systems and networks. In fact, evidence of reconnaissance activity can be a clue that a targeted attack is on the horizon.
Those in charge of system and network security cannot afford to be any less proficient in discovering and eliminating these vulnerabilities than the attackers are at finding and exploiting them. One strategy is to make full use of the very tools being used against you and to do it regularly. With security, proper visibility is critical. If you do not understand or know about vulnerabilities, this puts you at a disadvantage, especially based on the fact that the adversary is usually aware of these exposures. The more you know about your environment, the better you can protect it.
This module covers technology, tools, and techniques used for information gathering, network mapping, vulnerability scanning, and the management application of mapping, scanning technology, including exploitation. First, let's set the stage in terms of the management expectation of such a program. Second, we define threat vectors and common sources of reconnaissance on your systems. Then, we examine some of the classic probing tools and their impact. We then show you how to use your own tools to find vulnerabilities before the attackers do. Finally, we will show the basic steps of how to do a penetration test to verify and validate the security of your organization.
CPE/CMU Credits: 8
SEC401.3 Threat Management - Module Outline
Module 13: Vulnerability Scanning and Penetration Testing
Involves understanding the concepts and relationships behind reconnaissance, resource protection, risks, threats and vulnerabilities.
Module 14: Network Security Devices
Involves taking a look at the 3 main categories of network security devices: firewalls, NIDS and NIPS. Together they provide a complement of prevention and detection capabilities.
Module 15: Endpoint Security
Involves understanding the overall importance and concepts of endpoint security. This module, we will examine some of the key components, strategies, and solutions for implementing endpoint security.
Module 16: SIEM/Log Management
Involves student being able to obtain a high-level understanding of what logging is and why it is important. The student will also know have a high-level understanding of what logging is and why it is important.
Module 17: Active Defense
Involves explaining what active defense is and how it can be used. You will get an appreciation for new ways to approach security and how to make your defensive solutions more active.
There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography. Concealing the meaning of a message can prevent unauthorized parties from reading sensitive information. Sec401.4 looks at various aspects of encryption and how it can be used to secure a company's assets. A related area called steganography, or information hiding, is also covered.
Cryptography, the science of secret writing, helps us communicate without revealing the meaning of information to adversaries. It also potentially validates to whom we are communicating. It can protect any kind of data, from very sensitive information, such as Internet-based commerce and banking transactions, to harmless messages you would prefer that no one else knew about, such as a letter to a friend. Cryptography (abbreviated as crypto) can provide a great deal of confidentiality and integrity checks for information. However, it is not a silver bullet, and it can lead to a tremendous false sense of security unless used properly and implemented correctly. Cryptography should always be a part of a larger defense-in-depth strategy, providing just one layer of the security onion.
CPE/CMU Credits: 8
SEC401.4 Cryptography, Risk Management and Response - Module Outline
Module 18: Cryptography
Involves students having a basic understanding of the fundamental concepts of cryptography
Module 19: Cryptography Algorithms and Deployment
Involves students having a high-level understanding of the mathematical concepts that contribute to modern cryptography
Module 20: Applying Cryptography
Involves having a high-level understanding of what VPNs are and how they operate. Students will also understand the functionality of the GPG cryptosystem and how they operate.
Module 21: Incident-Handling Foundations
Involves understanding the concepts of incident handling and the six-step incident-handling process. Students will also be able to identify areas of law that are important to incident handling and understand important practices in handling evidence
Module 22: Contingency Planning - BCP/DRP
Involves understanding the critical aspect of contingency planning with a business continuity plan (BCP) and disaster recovery plan (DRP)
Module 23: Risk Management
Involves understanding the terminology and basic approaches to cyber security risk management
Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be easier? A lot has changed over time. Now, we have Windows tablets, Azure, Active Directory, PowerShell, Office 365, Hyper-V, Virtual Desktop Infrastructure (VDI), and so on. Microsoft is battling Google, Apple, Amazon.com, and other cloud giants for supremacy. The trick is to do it securely, of course.
Windows is the most widely-used and targeted operating system on the planet. At the same time, the complexities of Active Directory, PKI, BitLocker, AppLocker, and User Account Control represent both challenges and opportunities. This section will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work. You will complete the day with a solid grounding in Windows security, by looking at automation, auditing and forensics.
This module discusses the infrastructure that supports Windows security. This is the big-picture overview of the Windows security model, and it provides the background concepts necessary to understand everything else that follows. Because it is the big picture, we can't talk about everything, but many of the details will be filled in throughout the following modules.
CPE/CMU Credits: 8
SEC401.5 Windows Security - Module Outline
Module 24: The Windows Security Infrastructure
Involves the ability to identify the different types of Windows operating systems and the differences between them. Students will also be able to identify the different types of Windows operating systems and the differences between them.
Module 25: Service Packs, Hotfixes, and Backups:
Involves the understanding of how to manage Windows Service Packs and Hotfixes for a network of Windows hosts.
Module 26: Windows Access Controls
Involves understanding how permissions are applied in the Windows NT File System, Shared Folders, Printers, Registry Keys, and Active Directory, and how Privileges are applied.
Module 27: Enforcing Security Policy
Involves having a high-level understanding of the features of Group Policy and working with INF security templates
Module 28: Securing Windows Network Services
Involves the understanding on how to take basic measures in securing Windows network services
Module 29: Automation, Auditing, and Forensics
Involves Introduction to the techniques and technologies used to audit Windows hosts.
While organizations do not have as many Unix/Linux systems, those that they do have are often some of the most critical systems that need to be protected. Sec401.6 provides step-by-step guidance to improve the security of any Linux system. The course combines practical "how to" instructions with background information for Linux beginners, as well as security advice and best practices for administrators of all levels of expertise.
This module discusses the foundational items that are needed to understand how to configure and secure a Linux system. It also provides an overview of the operating system and mobile markets. To lay a foundation, it provides an overview of the different operating systems that are based on Linux.
CPE/CMU Credits: 6
Sec401.6 Linux Security - Module Outline
Module 30: Linux Security: Structure, Permissions and Access
Involves the foundational items that are needed to understand how to configure and secure a Linux system. It also provides an overview of the operating system and mobile markets. To lay a foundation, it provides an overview of the different operating systems that are based on Linux.
Module 31: Hardening and Securing Linux Services
Involves methods, tips, and tricks for hardening and securing Linux services. The Golden Rule to always remember is: The best way to secure a service is to turn it off.
Module 32: Monitoring and Attack Detection
Involves, Configuring and monitoring logs, logging with syslog and alternatives, parsing and filtering logs with grep, sed, awk, and cut and monitoring and accounting with uditd.
Module 33: Security Utilities
Involves some security-enhancement utilities, capabilities, and patch-management applications.
To give you an idea of the effectiveness of the course, here is what a few former students have said about it:
"SEC401 provides an excellent overview of security fundamentals delivered by experienced industry professionals." - Jathan Watso, Department of Finance
"Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an org." - Brandon Smit, Dynetics
"SEC401 took what I thought I knew and truly explained everything to me. Now, I also UNDERSTAND the security essentials fundamentals and how/why we apply them. Loved the training, cannot wait to come back for more." - Nicholas Blanton, ManTech International
Security 401: Security Essentials Bootcamp Style consists of course instructions and hands-on sessions. To reinforce the skills covered in class and gain experience with the tools needed to implement effective security, there are hands-on labs every day. These lab sessions are designed to enable students to use the knowledge gained throughout the course in an instructor-led environment. Students will have the opportunity to install, configure, and utilize the tools and techniques that they have learned. In class, you will receive a USB drive with 2 virtual machines, but it is critical that you have a properly configured system prior to class.
IMPORTANT: You can use any 64-bit version of Windows or macOS as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM's to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.
IMPORTANT: Credential Guard may interfere with the ability to run VM's so it is important that you start up VMWare prior to class and confirm that virtual machines can run. It is required that credential guard is turned off prior to coming to class.
Mandatory System Requirements
Mandatory Downloads prior to coming to class:
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
SEC401 Checklist
I have confirmed that:
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
Anyone who works in security, is interested in security, or has to understand security should take this course, including:
Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.
SEC401 Security Essentials Bootcamp Style covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are brand new to the field with no background knowledge, SEC301: Intro to Information Security would be the recommended starting point. While SEC301 is not a prerequisite, it will provide the introductory knowledge that will help maximize the experience with SEC401.
For those who are more advanced, SEC501: Enterprise Defender might be the more appropriate course to take.
SEC401 is an interactive hands-on training course. The following are some of the lab activities that students will carry out:
"One of the things I love to hear from students after teaching Security 401 is 'I have worked in security for many years and after taking this course I realized how much I did not know.' With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After you have attended Security 401, I am confident you will walk away with solutions to problems you have had for a while, plus solutions to problems you did not even know you had."
- Eric Cole