SANS Tutorials

This course helps you master specific proven techniques and the tools needed to implement and audit the Top Twenty Most Critical Security Controls. The Top Twenty Security Controls, listed below, are rapidly becoming the highest priorities at all serious and sensitive organizations. These controls were selected and defined by the US military and other government and private organizations (including NSA, DHS, GAO, and many others) who are the most respected experts on how attacks actually work and what can be done to stop them. They defined these controls as their consensus for the best way to block the known attacks and the best way to help find and mitigate damage from the attacks that get through. For security professionals, the course shows how to put controls in place in your existing network through effective and widespread use of cost-effective automation. For auditors, CIOs and risk officers, the course is the best way to understand how to measure whether the Top Twenty controls are effectively implemented. You will find the full document describing the Top 20 Most Critical Security Controls posted at the Center for Strategic and International Studies.

One of the best features of the course is that it uses offense to inform defense. In other words, you will learn about the actual attacks that you'll be stopping or mitigating. That makes the defenses very real, and it makes you a better security person.

As a student of the 20 Critical Security Controls two-day course, you'll learn important skills that you can take back to your workplace and use your first day back on the job in implementing and auditing each of the following controls:

Critical Controls Subject to Automated Collection, Measurement, and Validation:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention
Additional Critical Controls (not directly supported by automated measurement and validation):
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Training to Fill Gaps

Many organizations today are feeling pressure to reduce IT costs and optimize IT operations. Cloud computing is rapidly emerging as a viable means to create dynamic, rapidly provisioned resources for operating platforms, applications, development environments, storage capabilities, backup capabilities and many more IT functions. A staggering number of security considerations exist that information security professionals need to consider when evaluating the risks of cloud computing.

The first fundamental issue is the loss of hands-on control of system, application, and data security. Many of the existing best practice security controls that infosec professionals have come to rely on are not available in cloud environments, stripped down in many ways, or not able to be controlled by security teams. Security professionals must become heavily involved in the development of contract language and Service Level Agreements (SLAs) when doing business with Cloud Service Providers (CSPs). Compliance and auditing concerns are compounded. Control verification and audit reporting within CSP environments may be less in-depth and less frequent than audit and security teams require.

The SANS Cloud Security Fundamentals course starts out with a detailed introduction to the various delivery models of cloud computing ranging from Software as a Service (SaaS) to Infrastructure as a Service (IaaS) and everything in between. Each of these delivery models represents an entirely separate set of security conditions to consider, especially when coupled with various cloud types including: public, private and hybrid. An overview of security issues within each of these models will be covered with detailed discussions of risks to consider. Attendees will go in-depth on architecture and infrastructure fundamentals for private, public, and hybrid clouds. A wide range of topics will be covered including: patch and configuration management, virtualization security, application security, and change management. Policy, risk assessment and governance within cloud environments will be covered with recommendations for both internal policies and contract provisions to consider. This path leads to a discussion of compliance and legal concerns. The first day will wrap-up with several fundamental scenarios for students to evaluate.

Attendees will start off the second day with coverage of audits and assessments for cloud environments. The day will include hands-on exercises for students to learn about new models and approaches for performing assessments, as well as evaluating audit and monitoring controls. Next the class will turn to protecting the data itself! New approaches for data encryption, network encryption, key management and data lifecycle concerns will be covered. The challenges of identity and access management in cloud environments will also be discussed. The course will move into disaster recovery and business continuity planning using cloud models and architecture. Intrusion detection and incident response in cloud environments will be covered along with how best to manage these critical security processes and technologies that support them given that most controls are managed by the CSP.

Security 524 requires a Windows computer with the following minimum hardware requirements:

• 1.5GHz 64-bit processor (higher is recommended) 4GB RAM (More memory is highly recommended)
• 25 GB free hard disk space
• DVD ROM drive
• VMware Workstation or Player
• Wireless network adapter
• Microsoft Office or OpenOffice and a PDF reader application

Over the past two years, we have seen a dramatic increase in sophisticated attacks against nearly every type of organization. Economic espionage in the form of cyber-attacks, also known as the Advanced Persistent Threat (APT), has proven difficult to suppress. Attackers from Eastern Europe and Russia continue to steal credit card and financial data resulting in millions of dollars of losses. Hacktivist groups attacking government and Fortune 500 companies are becoming bolder and more frequent.

Sophisticated hackers can advance rapidly through your network using advances in spear phishing, web application attacks, and custom malware. Incident Responders and Digital Forensic Investigators must master a variety of operating systems, investigative techniques, incident response tactics, and even legal issues in order to combat challenging intrusion cases across the enterprise.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight and avoid detection by standard host-based security measures. Every action that adversaries make leaves a trace; you merely need to know where to look.

Our adversaries are good and getting better. Are we learning how to counter them? Yes we are. Learn how.

Lethal Digital Forensic Techniques and Memory Analysis will give you the tools and techniques necessary to master advanced incident response, investigate data breach intrusions, find tech-savvy rogue employees, counter the Advanced Persistent Threat, and conduct complex digital forensic cases.
This course uses the popular SIFT Workstation to teach investigators how to investigate sophisticated crimes. SIFT contains hundreds of free and open source tools, easily matching any modern forensic tool suite. It demonstrates that advanced investigations and incident response can be accomplished using frequently updated, cutting-edge open source tools.

Laptop Requirements:

IMPORTANT – Bring your own system configured using these directions:

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.

VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:

• CPU: 64bit x64 2.0 GHz or higher is recommended (Multi Core Preferred)
• DVD/CD Combo Drive
• Wireless 802.11 B/G/N Networking Capability
• 4 Gigabyte of RAM minimum (More RAM is recommended due to virtual machine requirements)
• 200 Gigabyte Host System Hard Drive minimum
• 100 Gigabytes of Free Space on your System Hard Drive

MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS:

• Host Operating System: Any version of Windows, MAC OSX, or Linux operating system that also can install and run VMware virtualization products
• Install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 (higher versions are ok)
• Download and install 7Zip
• Download and unzip the SIFT Workstation VIRTUAL MACHINE DISTRO.zip
• Bring pre-configured Windows OS Virtual Machine
• Create a new Windows 7 OS Virtual Machine Workstation (any Win7 versions)

Install the following on your host Windows machine (If MAC/Linux host Install inside Windows VM)

• Install MS Office 2010 (Demo Version for 60 Day Free Trial - You need EXCEL 2007 or higher for this class - No exceptions)
• Install latest version of RedLine (1.6 or higher)

Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

One constant in the rapidly evolving mobile device market is user demand for access to corporate data. Whether corporate or employee-owned (the bring your own device or BYOD model), mobile device use creates new challenges for organizations that must safeguard sensitive data.

This course is designed to help students gain the skills necessary to implement a secure mobile device deployment. Students will examine the threats and vulnerabilities affecting mobile device deployments, understand legal issues and constraints facing organizations, and develop policies and controls to guide mobile device use. Focusing on Apple iOS, Android, BlackBerry and Windows Phone devices, students will learn about the architectural strengths and weaknesses of each platform, identifying countermeasures and risk mitigation tactics to protect against common threats. Students learn to use a combination of policy, mobile device management (MDM) and network controls to defend against common threats including mobile device malware, stolen devices, wireless attacks and rooted or jailbroken devices. Throughout the course, a combination of lecture, hands-on lab exercises and real-world experience is used to guide students through a tested model for secure mobile device use.

A Sampling of Topics

• Evaluating mobile device management (MDM) solutions
• Wireless LAN design and deployment
• Mitigating the threat of stolen devices
• Legal issues affecting mobile device deployments
• Architectural weaknesses in Apple iOS, Android, BlackBerry and Windows Phone
• Building a lab for testing mobile device controls
• Developing policies for mobile device use

Laptop Requirements:

Mobile Device Security requires a Windows, Linux or Macintosh computer with the following minimum hardware requirements:

• 1GHz processor
• 2GB RAM (More memory is highly recommended)
• 10 GB free hard disk space
• DVD ROM drive

Please install the following software on the computer:

VMWare Player 3.x or VMWare Workstation 6.x or newer or VMWare Fusion (Server and ESX are not supported)
Firefox browser

You must have the ability to disable the host firewall (Windows firewall or other third party firewall) and antivirus running on your desktop. This usually means you need to have administrative privilege on the machine.

DO NOT plan on just killing your antivirus service or processes, because most antivirus tools still function even when their associated services and processes have been terminated.