Sans 507 pdf

What should the answers to those questions be? How does continuous monitoring fit in and how do you architect those processes? Students regularly describe section two in two ways.

First, they say it's the most difficult section of the course; then they add that it filled in the gaps they had in understanding how networks really work and how they should be secured. Web applications seem to stay at the top of the list of security challenges faced by enterprises today. The organization needs an engaging and cutting-edge web presence, but the very technologies which allow the creation of compelling and data-rich websites also make it very challenging to provide proper security for the enterprise and its customers.

Unlike other enterprise systems, our web applications are freely shared with the world and exposed to the potential for constant attack. We begin this section with a discussion of the suite of technologies which make modern web applications work and the tools which auditors can use to identify, analyze and manipulate these technologies as part of a well-designed and thorough security audit.

We also introduce the use of proxies in testing web applications by capturing, examining, and sometimes manipulating the traffic between a web client and the server. From this foundation, we build a list of five critically important web development and deployment practices which serve as the basis for performing rigorous testing of web applications in the enterprise.

We dedicate most of section three to teaching the controls which can be used to secure applications and the skills needed to test and validate these controls. We develop and use a checklist for testing the most common and important security vulnerabilities.

Throughout the section, students have the opportunity to use these tools to test sample web applications similar to those commonly deployed in today's enterprises. We also offer advice on how engineers, administrators, and developers can better secure the web technologies they design, implement and maintain.

And finally, we discuss the best ways to report on findings and make useful recommendations. The majority of systems encountered on most enterprise audits are running Microsoft Windows in some version or another. The centralized management available to administrators has made Windows a popular enterprise operating system.

The sheer volume of settings and configurable controls, coupled with the large number of systems often in use, makes auditing Windows servers and workstations a huge undertaking.

In section four, we teach students how to audit Windows systems and Active Directory domains at scale. We begin with an introduction to Windows PowerShell, covering how to use the shell and moving on to writing and editing scripts which allow the auditor to perform repetitive tasks quickly and reliably.

Throughout the section we work to build a comprehensive baseline auditing script which can be used to audit all of the systems within a domain. Most of this course section is spent examining operating system security in general, and Windows security in particular.

We continue with discussions of user management, user rights management, file, registry, and share permissions. Finally, we wrap up the section by exploring Windows logging options and how to use the tools and scripts developed during the day to perform meaningful continuous monitoring of the Windows domain and systems.

One of the primary goals of the material presented is to allow the auditor to move from checking registry settings to helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally help us to be far more effective.

While many enterprises today use Microsoft Windows for their endpoint systems, Linux and other Unix variants are well-established as servers, security appliances and in many other roles. Given the nature of the work these Unix variants do, it is critical to ensure their security. Add to that the fact that mass centralized administration is less likely to occur with these systems, and auditing at scale becomes even more important. We assume that students may have little or no Linux experience, and build skill during the day accordingly.

We begin with a discussion of system accreditation in a field where many servers are "snowflakes" - uniquely designed and different from our other enterprise systems. Neither Unix nor scripting experience is required for this section. The course book and hands-on exercises present an easy to follow method, and the instructor is prepared to help with any difficulty students have in this sometimes unfamiliar environment.

Section six is a capstone exercise which allows students to test and refine the skills learned throughout the course. Using an online "capture the flag" CTF engine, students are challenged to audit a simulated enterprise environment by answering a series of questions about the enterprise network, working through various technologies explored during the course.

At the conclusion of this section, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.

GSNA certification holders have demonstrated knowledge of network, perimeter, and application auditing as well as risk assessment and reporting. Deeper Linux experience will be helpful but is not required. The courseware and instruction provide the student with the information necessary to use the Linux systems and tools utilized in class.

A properly configured system is required to fully participate in this course. These requirements are the mandatory minimums.

If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. We strongly urge you to arrive with a system meeting all the requirements specified for the course. It is critical that you back-up your system before class. It is also strongly advised that you do not use a system storing any sensitive data.

You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the. The USB port must not be locked in hardware or software.

Some newer laptops may have only the smaller Type-C ports. Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac". SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives. Make sure your operating system is fully updated with the correct drivers and patches prior to arriving in class.

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Being an excellent information technology auditor requires a special mix of skills. An effective auditor will know how to assess organizational risk, scope, plan and execute an audit engagement properly.

They must have the technical skills to design and perform tests of controls. Each step will be examined in detail, including practical examples of how to apply it. Finally, students will learn about the artifacts that can best be used to determine the extent of suspicious activity within a given environment and how to migrate techniques to a large data set for enterprise-level analysis.

Malicious software is responsible for many incidents in almost every type of enterprise. We will define each of the most popular types of malware and walk through multiple examples. You will complete various in-depth labs requiring you to fully dissect a live Ransomware specimen from static analysis through code analysis.

You will get hands-on experience with tricking the malware through behavior analysis techniques, and in decrypting files encrypted by Ransomware by extracting the keys through reverse engineering. All steps are well defined and tested to ensure that the process to achieve these goals is actionable and digestible. The concluding section of the course will serve as a real-world challenge for students by requiring them to work in teams, use the skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex.

A web server scoring system and Capture-the-Flag engine will be provided to score students as they submit flags to score points. More difficult challenges will be worth more points. In this defensive exercise, challenges include packet analysis, malware analysis, and other challenges related to the course material. It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. GCED certification holders have validated knowledge and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling and malware removal.

This includes a detailed understanding of networks, protocols, and operating systems. Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.

For simplicity, the following checklists are provided. You must be able to confirm every item on these checklists. Links for obtaining free trial copies of VMware are below; alternate hypervisors are not supported! Your course media and printed materials PDFs will need to be downloaded. The Course Media Image is 20 GB in size, so you need to allow plenty of time for the download to complete.

Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link.

You will need to install your VMs from course media before the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

In addition, this course uses an Electronic Workbook, designed to be viewed from within any of the provided VMs, containing step-by-step instructions for all lab exercises. My own multifaceted technology background makes me particularly enthusiastic about being the lead author for SEC, as the course reflects my own experience as a jack of all trades and provides the perfect opportunity to share that excitement with you!

Includes labs and exercises, and support. Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide. Training events and topical summits feature presentations and courses in classrooms around the world. Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Register Now Course Demo. In Person 6 days Online. Stephen Sims Fellow. Dave Shackleford Senior Instructor. What You Will Learn Have you ever wanted to Syllabus 38 CPEs. Overview Section 1 will focus on security in the design and configuration of various enterprise infrastructures. Overview Security is all about understanding, mitigating, and controlling the risk to an enterprise's critical assets. Overview "Prevention is ideal, but detection is a must" is a critical motto for security professionals.

Overview Malicious software is responsible for many incidents in almost every type of enterprise. Overview The concluding section of the course will serve as a real-world challenge for students by requiring them to work in teams, use the skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex.

Defensive network infrastructure Packet analysis and penetration testing Incident handling and malware removal. Laptop Requirements Important! Bring your own laptop configured according to these instructions! I have all of the credentials necessary to perform these five tasks: Power-on my system Boot my host OS i. You will use the VMware hypervisor to simultaneously run multiple VMs when performing hands-on exercises, therefore you must have VMware installed on your system.

We'll examine the latest threats to organizations, from watering hole attacks to endpoint security bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems.

To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills. The goal of modern cloud and on-premises systems is to prevent compromise, but the reality is that detection and response are critical. Keeping your organization out of the breach headlines depends on how well incidents are handled to minimize loss to the company.

In SEC, you will learn how to apply a dynamic approach to incident response. Using indicators of compromise, you will practice the steps to effectively respond to breaches affecting Windows, Linux, and cloud platforms. You will be able to take the skills and hands-on experience gained in the course back to the office and apply them immediately.

Understanding the steps to effectively conduct incident response is only one part of the equation. To fully grasp the actions attackers take against an organization, from initial compromise to internal network pivoting, you also need to understand their tools and techniques. The first section of SEC focuses on how to develop and build an incident response process in your organization by applying the Dynamic Approach to Incident Response DAIR to effectively verify, scope, contain, assess, and remediate threats.

We'll apply this process in-depth with hands-on labs and examples from real-world compromises. In this course section we'll look at the techniques attackers use to conduct reconnaissance as a pre-attack step, including how they use open-source intelligence, network scanning, and target enumeration attacks to find the gaps in your network security. You'll use attacker techniques to assess the security of a target network, evaluating popular protocols and endpoints for Windows, Linux, and cloud targets.

After delivering the attacks, you'll investigate the logging data and evidence that remains to recognize these attacks as they happen. Password attacks are the most reliable mechanism for attackers to bypass defenses and gain access to your organization's assets.

In this course section we'll investigate the complex attacks that exploit password and multi-factor authentication weaknesses using the access gained to access other network targets. In this course section we'll begin our look at target exploitation frameworks that take advantage of weaknesses on public servers and client-side vulnerabilities. Using the implicit trust of a public website, you'll apply attacker tools and techniques to exploit browser vulnerabilities, execute code with Microsoft Office documents, and exploit the many vulnerabilities associated with vulnerable web applications.

Building on password, public-facing, and drive-by attacks, we'll look at the attacks that happen after initial exploitation. You'll see how attackers bypass endpoint protection systems and use an initial foothold to gain access to internal network targets. You'll then apply the techniques you learn with privileged insider Local Area Network LAN attacks, using privileged access to establish persistence, how attackers scan for and collect data from a compromised organization.

You will apply these skills to assess the security risks of a vulnerable cloud deployment through visualization and automated assessment techniques. Finally, we'll look at the steps to take after the course is over, turning what you've learned into long-term skills and helping you prepare for the certification exam. Our Capture-the-Flag event is a full day of hands-on activity that has you working as a consultant for ISS Playlist, a fictitious company that has recently been compromised.

You will apply all of the skills you've learned in class, using the same techniques used by attackers to compromise modern, sophisticated network environments. You will work on a team or independently to scan, exploit, and complete post-exploitation tasks against a cyber range of target systems including Windows, Linux, Internet of Things devices, and cloud targets.

This hands-on challenge is designed to help players practice their skills and reinforce concepts learned throughout the course. With an integrated hint system to give you the on-demand guidance you need to succeed, the event guides you through the steps to successfully compromise target systems, bypass endpoint protection platforms, pivot to internal network high-value hosts, and exfiltrate company data.

The GIAC Incident Handler certification validates a practitioner's ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills.

GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors and tools, as well as defend against and respond to such attacks when they occur.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data. Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range.