SANS Tutorials

The Top 20 are listed below. You will find the full document describing the Top 20 Most Critical Security Controls posted at the Center for Strategic and International Studies.

One of the best features of the course is that it uses offense to inform defense. In other words, you will learn about the actual attacks that you'll be stopping or mitigating. That makes the defenses very real, and it makes you a better security person.

As a student of the 20 Critical Security Controls two-day course, you'll learn important skills that you can take back to your workplace and use your first day back on the job in implementing and auditing each of the following controls:

Critical Controls Subject to Automated Collection, Measurement, and Validation:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention



Additional Critical Controls (not directly supported by automated measurement and validation):

16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Training to Fill Gaps

If we don't keep up with their latest methods, our overall defenses and incident response practices will grow rusty. To help fight back, this action-packed course describes these latest attack trends and what you can do to thwart the bad guys. In addition to detailed descriptions of how the attacks function, you'll get hands-on experience with the tools and their defenses.
This fast-paced, intermediate-to-advanced course is ideal for students who have taken a multi-day hacking course in the past (offered by other training organizations or SANS' own 504 or 560 courses) and are looking to update their understanding and skills. Also, if you are preparing for that final push on your GCIH certification, this session can help you brush up and refresh your knowledge of computer attacks before taking the exam.

IMPORTANT - BRING YOUR OWN LAPTOP WITH WINDOWS

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.
Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class.

Windows

You are required to bring Windows 7 (Professional or Ultimate), Windows Vista (Business or Ultimate), Windows XP Pro, or Windows 2003 or 2008 Server, either a real system or a virtual machine. Windows 7 Home, Windows Vista Home, Windows XP Home, and Windows 2000 (all versions) will NOT work for the class as they do not include all of the built-in capabilities we need for comprehensive analysis of the system. You are also required to bring your own virtual machine image of XP SP2 or XP SP3.
The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools and personal firewalls temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. Also ensure that you can install software that may be blocked by administrative or security controls due to their nature. You will be installing various debuggers and vulnerable applications onto the VM's.

VMware
You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 2.0 or later or the commercial VMware Workstation 5.0 or later installed on your system prior to coming to class. You can download VMware Player for free at www.vmware.com. Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from www.vmware.com. VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.
We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

• PIII 1Ghz CPU Minimum / M Series 1.5 GHz or higher is recommended
• DVD/CD Combo Drive
• 1 Gigabyte of RAM minimum, 2 Gigabyte or more is highly recommended
• 40 Gigabyte Hard Drive minimum (HARD DRIVE SIZE IS CRITICAL)
• 30 Gigabytes of Free Space on your Hard Drive
• Download and install WINZIP 11 or higher on your Windows Machine
• Bring your INSTALLATION CD-ROMS or DVDs to the course
• Verify that your processor architecture supports your VMware version. Do not wait until the day of class.
• Ethernet adaptor

Paranoia is Good
During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.
You will use VMware to run multiple operating systems when performing class exercises. Linux VM's with all necessary tools will be provided on a DVD on the first day.

With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks and require careful planning with regard to access controls, user permissions, and traditional security controls.

Attendees will learn about virtualization security fundamentals with an in-depth treatment of today's most pressing virtualization security concerns: known attacks and threats, theoretical attack methods, and numerous real-world examples. Then we'll turn our attention to today's most popular enterprise server virtualization product, VMware vSphere. Attendees will learn about every aspect of locking down ESX and ESXi servers and the vCenter management server, as well as best practices for securing the virtual machine guests that reside on ESX and ESXi platforms. We'll also cover virtualization networking techniques in detail, laying out proven strategies for proper segmentation, virtual switching and routing considerations, network access controls and layer 2 policies, as well as how to build virtual DMZs and integrate with existing network infrastructure. The latest vSphere technologies will be covered, including Distributed Virtual Switches, vShield Zones, and Host Profiles.

Finally, attendees will learn essential strategies for securing storage interfaces to vSphere, as well as best practices for backup, recovery, and redundancy. We'll then wrap up with extensive information about compliance ramifications from virtualization, strategies to create and maintain compliance-focused controls using VMware, and operations processes and concepts to focus on, such as change and configuration management, separation of duties, and least privilege.

• Virtualization Basics and Introduction
• Virtual Networking
• Virtual Switch Security Policies
• Command-line Virtual Network Configuration and Administration
• Virtual Network Architecture Design
• vCenter Security and Administration
• Virtual Infrastructure Client Security
• ESX and ESXi Security
• ESX File System Security
• VM Guest Security
• Storage Considerations
• Backup and Recovery
• Virtualization Risk Assessment
• Virtualization Threats
• Virtualization Vulnerabilities
• Virtualization Attacks
• Virtualization Audit and Compliance

Who Should Attend

• Security personnel who are tasked with securing VMware virtualization technologies
• Network and systems administrators who need to understand how to architect, secure, and maintain virtualization technologies.
• Technical auditors and consultants who need to gain a deeper understanding of VMware virtualization from a security and compliance perspective

Laptop Requirements:

Laptops for this lab exercises will be provided for students to use during class. Students will be given CDs with labs loaded to take home after class.

IPv6 is currently being implemented at a rapid pace in Asia in response to the exhaustion of IPv4 address space, which is most urgently felt in rapidly growing networks in China and India. Even if you do not feel the same urgency of IP address exhaustion, you may have to connect to these IPv6 resources as they become more and more important to global commerce.

This course will introduce network administrators and security professionals to the basic concepts of IPv6. While it is an introduction to IPv6, it is not an introduction to networking concepts. You should understand and be aware of the basic concepts of IPv4, and networking in general. It is an ideal refresher if you took SEC503 Intrusion Detection in Depth. However, you do not need to know IPv4 in the full detail in which it is presented in SEC503. The networking and IPv4 principles taught in SEC401 Security Essentials should prepare you for this course.

Laptop Requirements:

Students are required to bring a laptop running Windows or Linux. OS X should work too. Hardware Requirements:

• CD-ROM drive
• 10 GB free disk space
• 512 MB RAM (1 GB is recommended)

Laptops running Windows or Linux should have VMware Workstation or Player. VMware Server may NOT work. OS X users should have VMware Fusion.