Brochure Sans

8/8/2019 Brochure Sans

1/40

f COUS xCpSwww.sans.org/OnDemand

The most extensive online library

for cutting-edge information

security courses in the world

Top 5 Reasons to TakeSANS OnDemand

Try any of over 30 courses anytime, anywhere

Taught by SANS Top Gun instructorsincluding Dr. Eric Cole, Rob Lee,Ed Skoudis, and Dr. Johannes Ullrich

Includes video, labs, andhands-on exercises

Integrated assessments forGIAC Prep

No travel or time away fromthe oce

o & m

25%discounton any course

egister by pril 30, 2010

and use the discunt cde:

OD_CC

2010

COUS CAALOG


2/40

Stephen Northcutt

Dear Colleague,

I would like to invite you to take a cutting-edge SANS security

course in our newest version of SANS OnDemand online training and

assessment system. This is the most comprehensive online training

system available anywhere in the world, and with it, SANS delivers

the same unparalleled content you would receive in our classroomenvironment. Choose a course from our online library, which includes

SANS courses taught by our top instructors.

SANS OnDemand is one of our most affordable training options and ideal for getting the

most exibility out of your training budget. Whether youre new to information security or

have years of experience, youll nd SANS OnDemand delivering relevant and pragmatic

training that is guaranteed to increase your effectiveness on the job!

A great article on Computeruser.com addressed six must-ask questions to get the most outof your IT training. Find out what SANS OnDemand has to offer you and your organization

by considering our answers to these essential questions.

1.Whoareyourinstructors?

A select group of IT professionals who are the technology leaders shaping the future of information

security. We have recorded the voices and stories of some of SANS top-rated instructors like Dr. Eric Cole,

Rob Lee, Ed Skoudis, and Dr. Johannes Ullrich.

2.Howmuchhands-onpracticeisprovided?Hands-on exercises are provided throughout the courses to demonstrate the use of specic tools or skills. Our

users are able to do the hands-on exercises right in their home or oce using their own computer systems.

3.Wheredoesthecoursewarecomerom?

Our courseware is created by our leading instructors and is updated on a regular basis as technology

evolves. OnDemand is also proven to be one of the most eective ways to prepare for GIAC Certication.

4.Doyoutrainorcertifcationorcompetency?

We do both with OnDemand. Every learning objective has an outcome statement that describes what

knowledge or skill is encompassed in that learning objective. Assessment tests and hands-on exercises

are given throughout the training to determine competency. At the end of the course, the student may

attempt the GIAC certication.

5.Howbigareyourclasses?

There is a class size of one all classes are completely Internet-based, and we are also available by e-mail

or telephone if a student has any questions. Our program allows you to learn at your own pace and at times

convenient to you instead of attending a class based on a set schedule.

6.HowcanIcontrolcostswhilemaintainingconvenience?Through our online program, we come to you over the Internet whenever and wherever you want to access

training. Because many of the learning objectives are fairly short, even ten to fteen minutes can be

enough to make progress on your coursework.

SANS OnDemand is the perfect solution if you have training requirements for just one

person or a group of any size. Contact us at (301) 654-7267 or [email protected] and

ask about the OnDemand Flex Pass. Many organizations have found it to be the perfect

solution for meeting their varied training needs.

Best regards,

Stephen Northcutt

President

SANS Technology Institute, a postgraduate computer security college


3/40

able o Contents

To register or get more information, visit www.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-7267 1

SANS Cyber Guardian Program 2

DoD Directive 8570 3

GIAC Global Information Assurance Certication 3

SANS Training and Your Career Roadmap 4-5SEC301: Intro to Information Security 6

SEC401: SANS Security Essentials Bootcamp Style 7

SEC501: Advanced Security Essentials Enterprise Defender 8

SEC502: Perimeter Protection In-Depth 9

SEC503: Intrusion Detection In-Depth 10

SEC504: Hacker Techniques, Exploits, and Incident Handling 11

SEC505: Securing Windows 12

SEC506: Securing Linux/Unix 13

SEC509: Securing Oracle 14

SEC542: Web App Penetration Testing and Ethical Hacking 15

SEC560: Network Penetration Testing and Ethical Hacking 16

SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses 17

SEC709:Developing Exploits for Penetration Testers and Security Researchers 18

FOR408: Computer Forensic Essentials 19

FOR508: Computer Forensics, Investigation, and Response 20

FOR610:Reverse-Engineering Malware: Malware Analysis Tools & Techniques 21

MGT411: SANS 27000 Implementation & Management 22

MGT414: SANS +S Training Program for the CISSP Certication Exam 23

MGT512:Security Leadership Essentials for Managers with Knowledge Compression 24

LEG523:Legal Issues in Information Technology & Information Security 25

AUD410: IT Security Audit and Control Essentials 26

AUD507: Auditing Networks, Perimeters, and Systems 27

DEV422: Defending Web Applications Security Essentials 28

DEV541: Secure Coding in Java/JEE: Developing Defensible Apps 28DEV544: Secure Coding in NET: Developing Defensible Apps 29

DEV545: Secure Coding in PHP: Developing Defensible Apps 29

SANS OnDemand Skill-Based Short Courses 30

SANS 2010 Live Training Calendar 31

Other SANS Training Options 32-33

SANS vLive! 33

SANS Technology Institute Masters Degree in Information Security 33

OnDemand Flex Pass 34-35

OnDemand Registration Information 36

OnDemand Course Fees 37


4/40

Become a

SANS Cyber Guardian

and stay one step ahead

of the threats as well as

know what to do

when a breach occurs.

www.sans.org/cyber-guardian

CYBER GUARDIAN

P R O G R A M

T h e

SANS Cyber GuArdiANP R O G R A M

About the Program

SANS Cyber Guardian program is designed for the

elite teams of technical security professionals who

are part of the armed forces, Department of Defense,

government agencies, and organizations whose role

includes securing systems, reconnaissance, counter-

terrorism and counter hacks. These teams will be the

Cyber Security Special Forces where each individualsrole makes the team successful.

Program Overview

Prerequisite is completion of GSEC or CISSP

Core Courses and Certication:

- SEC 503: Intrusion Detection In-Depth - GCIA

- SEC 508: Computer Forensics, Investigation,

and Response - GCFA

- SEC 560: Network Penetration Testing and

Ethical Hacking - GPEN

Select a Red or Blue Team Specialty

Complete and Pass Two Specialty Courses and

Certications

Complete the GSE Hands-On Exam

Program Benets forSecurity Professionals

You will be prepared for all types of cyber attacks

and know how to react when a breach occurs

Receive SANS elite, hands-on training

Earn an exclusive GIAC Security Expert Certication

that will set you apart in the infosec eld

Receive a SANS Cyber Guardian Patch and use of

the logo for business cards and proposals

Career Opportunities infosec professionals with

SANS Cyber Guardian skills are in high demand.

You can opt to have SANS refer you to agencies and

organizations who need Cyber Guardians.

Program Benets forServices and Employers

Gain the reassurance that your systems are

being protected by the most qualied security

professionals available

Your employees will be able to keep you up-to-

date on the latest attacks

Use of the SANS Cyber Guardian logo for business

proposals, stationery, and business cards

Learnmoreatwww.sans.org/cyber-guardian

real Theats, real Skills, real Success

2


5/40

EARN YOUR CERTIFI CATION

o four easons to Get GIAC Certied

1. Promotes hands-on technical skills and improves knowledge retention

TheGIACcerticationprocessforcedmetodigdeeperintotheinformationthatIwastaught

inclass.Asaresultofthis,Iintegratedthistrainingintomypracticalskillsetandimprovedmy

hands-onskills.-Dean Farrington, inFormation Security engineer, WellS Fargo

2. Provides proof that you possess hands-on technical skills

GIACprovesthatIhaveaverysolidtechnicalbackgroundtosupportanychallengeIdeal

witheveryday.Therearesomanynewtoolscomingupdaily,buttheunderlyingbackground

essentiallyremainsthesame.-Wayne Ho, BuSineSS inFormation Security oFFicer, gloBal Bank

3. Positions you to be promoted and earn respect among your peers

IthinktheGIACcerticationhasdenitelyhelpedprovidecredibilityformeintheworkplace.

This,inturn,hashelpedmebemoreeffectiveatmyjob. -matt auStin, Senior Security conSultant, Symantec

4. Proves to hiring managers that you are technically qualied for the job

Hiringmanagersarealwayslookingforwaystohelpsortthroughcandidates.GIACcertica-

tionsareamajordiscriminator.Theyensurethatthecandidatehashands-ontechnicalskills.

-cHriS ScHock, netWork engineer, StateoF coloraDo


DoDDirective8570requires:

BytheendofCY2010, personnelperformingITandIMfunctionsmustbecertied.

BytheendofCY2011 personnelperformingCND-SPandISErolesmustbecertied.

IjobswillbecategorizedasTechnicalorManagementevelI,II,orIII,andtobequaliedforthosejobs,youmustbecertied.

DoDBaselineICertications

TECH II: GSEC TECH III: GSE CISSP CISA

MGT I: GSLC GISF MGT II: GSLC CISSP MGT II: GSLC CISSP

InformationssuranceSystemrchitecture&Engineering(ISE)Certications

IASAE I: CISSP IASAE II: CISSP

ComputerNetworkDefense(CND)Certications

CND Analyst: GCIA CND Incident Responder: GCIH CND Auditor: GSNA CISA

TrainingforCertications

AUD423: CISA AUD507: GSNA MGT414: CISSP MGT512: GSLC SEC301: GISF

SEC401: GSEC SEC503: GCIA SEC504: GCIH SEC401, SEC503 & SEC504: GSE

Its not about

the cert, its

about the

knowledgegained in pursuit

o the cert.

-Dave Hull,

TrusTeD signal, llC

Get more information atwww.sans.org/8570


6/40

S A N S T R A I N I N G A N D Y

ForacompletelistoSANScourses,visitwww.sans.org.

SEC504Hacker Techniques,

Exploits, andIncident Handling

GCIH PG 11

SEC501Advanced Security

Essentials Enterprise Defender

GCED PG 8

SEC540VoIP Security

SEC560Network Pen

Testing and EthicalHacking

GPEN PG 16

SEC542Web App Pen


GWAPT PG 15

dditinal Penetratin esting Curses

DEV538:Web Application Pen Testing

SEC553:Metasploit for Pen Testers

SEC561:Network Penetration Testing

dditinal ncident Handling Curses

SEC517: Cutting-Edge Hacking Techniques

SEC550: Information Reconnaissance: CompetitiveIntelligence and Online Privacy

Network and Application

Security Curriculum



GCED PG 8

SEC301Intro to Information

SecurityGISF PG 6

SEC401SANS Security

EssentialsBootcamp Style

GSEC PG 7

Beginners

dditinal etwrk and pplicatin ecurity Curses

SEC440:20 Critical Security Controls:Planning, Implementing, and Auditing

SEC556: Comprehensive Packet Analysis

SEC566: 20 Critical Security Controls - In Depth

SEC617Wireless Ethical

Hacking, Pen Testing,and Defenses

GAWN PG 17

SEC709Developing Exploitsfor Pen Testers and

Security Researchers

PG 18

dditinal udit Curses

UD410:IT Security Audit and ControlEssentials PG 26

UD429: IT Security Audit Essentials BootcampUD521: PCI/DSS 1.2: Becoming and Staying

Compliant

SEC440:20 Critical Security Controls:Planning, Implementing, and Auditing

SEC566: 20 Critical Security Controls In Depth

A U D I C U I C U L U M

AUD507Auditing Networks, Perimeters,

and SystemsGSNA PG 27

SEC301 NOTE:I you have experi-

ence in the feld,please consider our

more advancedcourse SEC401.

A p p L I C A I O N S C U I YC U I C U L U M

Secure Coding

dditinal ecure Cding Curses

DEV304:Software Security Awareness

DEV320: Introduction to the Microsoft Security Development Lifecycle

DEV534:Secure Code Review for Java Web Apps

DEV536:Secure Coding for PCI Compliance

Web App Pen Testing

SEC542Web App Pen


GWAPT PG 15

dditinal Web ppPen esting Curses

DEV538:Web App Pen Testing

Web App Security

DEV422Defending Web

ApplicationsSecurity Essentials

PG 28

S C U I Y C U I C

FOR508Computer Forensics,

Investigation,and Response

GCFA PG 20

Penetration Testing Curriculum

DEV544.NET

Secure Coding

GSSP-.NET PG 29

DEV541Java/JEE

Secure Coding

GSSP-JAVA PG 28

DEV545PHP

Secure Coding

PG 29

Incident Handling Curriculum

4


Security

GISF PG 6

SEC401SANS Security


GSEC PG 7


7/40

O U R C A R E E R R O A D M A P

ForacompletelistoGIACCertifcations,visitwww.giac.org.

System Administration Curriculum

SEC505SecuringWindows

GCWN PG 12



GCED PG 8

SEC506Securing

Linux/Unix

GCUX PG 13

dditinal yste dinistratin Curses

SEC434: Log Management In-Depth

SEC509: Securing Oracle PG 14

SEC531:Windows Command-Line Kung Fu

SEC546: IPv6 Essentials

SEC564: Security Architecture for Sys Admins

Intrusion Analysis Curriculum

SEC502PerimeterProtection

In-DepthGCFW PG 9


Essentials

Enterprise DefenderGCED PG 8

SEC503IntrusionDetection

In-DepthGCIA PG 10

dditinal ntrusin nalysis Curses

SEC577:Virtualization Security Fundamentals

L G A LC U I C U L U M

f O N S I C SC U I C U L U M

M A N A G M N C U I C U L U M

SEC301Intro to

InformationSecurity

GISF PG 6

SEC401SANS Security


GSEC PG 7

MGT414SANS +S

Training

Programfor the CISSPCertication

Exam

GISP PG 23

MGT525Project Management

and Eective

Communicationsfor Security

Professionals andManagers

GCPM

MGT512SANS Security

Leadership

Essentials ForManagers with

KnowledgeCompression

GSLC PG 24

SEC301Intro to

InformationSecurity

GISF PG 6

dditinal manageent Curses

MGT404: Fundamentals of Information Security Policy

MGT411: SANS 27000 Implementation & Management PG 22

MGT421: Leadership and Management Competencies

MGT432: Information Security for Business Executives

MGT438:How to Establish a Security Awareness Program

U L A

LEG523Legal Issues in

InformationTechnology and

Information Security

PG 30

GIAC certifcation available or coursesindicated with GIAC acronyms

5

dditinal Frensics Curses

FOR526: Advanced Filesystem Recovery andMemory Forensics

FOR408ComputerForensic

EssentialsPG 19

FOR508Computer Forensics,

Investigation,and Response

GCFA PG 20

FOR606Drive and

Data RecoveryForensics

FOR610REM: Malware

Analysis Tools &Techniques

GREM PG 21

FOR563Mobile Device

Forensics

FOR558NetworkForensics


Security

GISF PG 6

SEC401SANS Security


GSEC PG 7


8/40

Intro to Inormation SecurityS E C U R I T Y

301O N L I N E T R A I N I N G

Who Should Register

Proessionals who need to hit

the ground running and need

an overview o inormation

assurance

Managers, inormation security

ofcers, and system administra-

tors who need an overview o risk

management and deense-in-

depth techniques

Anyone who writes, implements,

or must adhere to policy, disaster

recovery, or business continuity

Get GISF Certied

wwwgiacorg

WithSANSOnDemand,studentsreceive:

Four months o access to our 24/7online training and integratedassessment quizzes

A ull set o course books andhands-on CDs

Labs and hands-on exercises

Synchronized online coursewareand lectures

E-mail access to OnDemandvirtual mentors

Progress reports

Fred Kerby is an engineer, manager, and security practitioner whose experience spans several generations of networking.He is the information assurance manager at the Naval Surface Warfare Center, Dahlgren Division and has vast experience

with the political side of security incident handling. His team is one of the recipients of the SANS Security Technology

Leadership Award as well as the Government Technology Leadership Award. Fred received the Navy Meritorious Civilian

Service Award in recognition of his technical and management leadership in computer and network security. A frequent

speaker at SANS, Freds presentations reect his opinions and are not the opinions of the Department of the Navy.

IAMLevelIotheDepartmentoDeense

BaselineCertifcationor8570

Thisintroductorycertifcationcourseistheastestwayto

getuptospeedininormationsecurity.

Written and taught by battle-scarred security veterans, this entry-

level course covers a broad spectrum of security topics and is

liberally sprinkled with real life examples. A balanced mix of

technical and managerial issues makes this course appealing to

attendees who need to understand the salient facets of information

security and risk management. Organizations often tap someone

who has no information security training and say, Congratulations,you are now a security ofcer. If you need to get up to speed fast,

Security 301 rocks!

We begin by covering basic terminology and concepts, and then

move to the basics of computers and networking as we discuss

Internet Protocol, routing, Domain Name Service, and network

devices. We cover the basics of cryptography, and wireless

networking, then we look at policy as a tool to effect change in your

organization. In the nal day of the course, we put it all together

with an introduction to defense in-depth.

If youre a newcomer to the eld of

information security, this is the course

for you! You will develop the skills to

bridge the gap that often exists between

managers and system administrators

and learn to communicate effectively

with personnel in all departments and at

all levels within your organization.

This is the course SANS offers for

the professional just starting out

in security. If you have experience

in the eld, please consider our

more advanced offerings, suchas SEC401: SANS Security

Essentials Bootcamp Style.

6 To register or get more information, visit www.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-7267


9/40

Who Should Register

Security proessionals who want

to ll the gaps in their under-

standing o technical inormation

security

Network engineers wanting to

enter the eld o security

Security engineers, admins,

managers, and others wanting

a more detailed understanding

o the technical components o

security

Anyone new to inormationsecurity with some background

in inormation systems and

networking

Individuals with operational

responsibility or a rewall, VPN,

or Internet-acing device

Get GSEC Certied

wwwgiacorg

SANS Security ssentialsBootcam Style

S E C U R I T Y


ThiscourseisendorsedbytheCommitteeonNationalSecurity

Systems(CNSS)NSTISSI4013StandardorSystemsAdministratorsinInormationSystemsSecurity(INFOSEC).

Maximizeyourtrainingtimeandturbo-chargeyourcareerinsecuritybylearningtheullSANSSecurityEssentialscurriculumneededtoqualiyortheGSECcertifcation.

Security Essentials is designed to give anyone interested in network

security the skills required to be an effective player in this space. This

in-depth, comprehensive course provides the essential, up-to-the-

minute knowledge and skills required for securing systems and/or

organizations. It also gives you the language and theory of computer

security, all of it taught by the best security instructors in the industry.


Four months of access to our 24/7 online training

and integrated assessment quizzes

A full set of course books and hands-on CDs Labs and hands-on exercises

Synchronized online courseware and lectures

E-mail access to OnDemand virtual mentors

Progress reports

Please nte that se curse aterial

fr C401 and m512 ay verlap. We

recend C401 fr thse interested in are technical curse f study and m512

fr thse priarily interested in a leadership-

riented but less technical learning experience.

IATLevelIIotheDepartmentoDeense

BaselineCertifcationor8570

Eric Cole, PhD is an industry recognized security expert, with over 15 years of hands-on experience. Cole currently

performs leading-edge security consulting and works in research and development to advance the state of the art in

information systems security. Cole has experience in information technology with a focus on perimeter defense, secure

network design, vulnerability discovery, penetration testing, and intrusion detection systems. Cole has a masters degree

in computer science from NYIT and a PhD from Pace University with a concentration in information security. Dr. Cole is

the author of several books including Hackerole, Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider

Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. Eric is also a senior scientist with

Lockheed Martin Information Technology (LMIT) and Lockheed Martin (LM) fellow. Cole is actively involved with the SANS

Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware.



10/40

SANS Security ssentials nterrise Deender

S E C U R I T Y


Who Should Register

Students who have taken Secu-

rity Essentials and want a more

advanced 500-level course similar

to SEC401

People who have oundational

knowledge covered in SEC401,

do not want to take a specialized

500-level course, and still want

a broad advanced coverage o

the core areas to protect their

systems

Anyone looking or detailedtechnical knowledge on how

to protect against, detect, and

react to the new threats that will

continue to cause harm to an

organization

Get GCED Certied

wwwgiacorg





Synchronized onlinecourseware and lectures


Progress reports

Eric Cole, PhD is an industry recognized security expert, with over 15 years of hands-on experience. Cole currently performs

leading-edge security consulting and works in research and development to advance the state of the art in information

systems security. Cole has experience in information technology with a focus on perimeter defense, secure network design,

vulnerability discovery, penetration testing, and intrusion detection systems. Cole has a masters degree in computer

science from NYIT and a PhD from Pace University with a concentration in information security. Dr. Cole is the author of

several books including Hackerole, Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is

the inventor of over 20 patents and is a researcher, writer, and speaker. Eric is also a senior scientist with Lockheed Martin

Information Technology (LMIT) and Lockheed Martin (LM) fellow. Cole is actively involved with the SANS Technology

Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware.

Cybersecuritywillcontinuetoincreaseinimportanceasattacksbecomestealthier,haveagreaterfnancialimpactonanorganization,andcausereputationaldamage.

While Security Essentials lays a solid foundation for the security

practitioner, there is only so much that can be packed into a six-day

course. SEC501 is a follow up to SEC401: SANS Security Essentials (with

no overlap) and continues to focus on more technical areas needed to

protect an organization. The course focus is on:

Prevention - conguring a system or network correctly

Detection - identifying that a breach has occurred at the system or

network level

Reaction - responding to an incident and moving to evidence

collection/forensics

Prevention is ideal, but detection is a must. We have to ensure that we

constantly improve security to prevent as many attacks as possible. This

prevention/ protection occurs externally and internally. Attacks will

continue to pose a threat to an organization as data becomes more

portable and networks continue to be porous. Therefore a key focus

needs to be on data protection securing our critical information

whether it resides on a server, in a robust network architecture, or on a

portable device.

Despite our best effort at preventing attacks and protecting critical data,

some attacks will still be successful. Therefore we need to be able to

detect attacks in a timely fashion. This is accomplished

by understanding the trafc owing on your networks

and looking for indication of an attack. It also includes

performing penetration testing and

vulnerability analysis against anorganization to identify problems and

issues before a compromise occurs.

Finally, once an attack has been detected,

we must react in a timely fashion and

perform forensics. By understanding how

the attacker broke in, this can be fed back

into more effective and robust preventive

and detective measures, completing thesecurity lifecycle.



11/40

Who Should Register

Inormation security ofcers

Intrusion analysts IT managers

Network architects

Network security engineers

Network and systemadministrators

Security managers

Security analysts

Security architects Security auditors

Get GCFW Certied

wwwgiacorg


4-months access to our 24/7 onlinetraining and integrated assessmentquizzes


Labs & hands-on exercises


E-mail access to OnDemand virtualmentors

Progress reports

perimeter protection In-DethS E C U R I T Y


Thereisnosinglefxorsecuringyournetwork.Thats why this course is a comprehensive analysis of a wide breadth of technolo-

gies. This is probably the most diverse course in the SANS catalog, as mastery of

multiple security techniques are required to defend your network from remoteattacks. You cannot just focus on a single OS or security appliance. A proper secu-

rity posture comprises multiple layers. This course was developed to give you the

knowledge and tools necessary at every layer to ensure your network is secure.

The course starts by looking at common problems: Is there trafc passing by my

rewall I didnt expect? How did my system get compromised when no one can

connect to it from the Internet? Is there a better solution than anti-virus for con-

trolling malware? Well dig into these questions and more and answer them.

We all know how to assign an IP address, but to secure your network you really

need to understand the idiosyncrasies of the protocol. Well talk about how IP

works and how to spot the abnormal patterns. If you cant hear yourself sayingHummm, there are no TCP options in that packet. Its probably forged, then youll

gain some real insight from this portion of the material.

Once you have an understanding of the complexities of IP, well get into how to

control it on the wire. We focus on the underlying technology used by all of the

projects rather than telling you which are good and which are bad ones. A side-by-

side product comparison is only useful for that specic moment in time. By gaining

knowledge of what goes on under the cover, you will be empowered to make good

product choices for years to come. Just because two rewalls are stateful inspection,

do they really work the same on the wire? Is there really any difference between

stateful inspection and network-based intrusion prevention, or is it just marketing?These are the types of questions we address in this portion of the course.

We move on to a proper, wire-level assessment of a potential product, as well as

what options and features are available. Well even get into how to deploy trafc

control while avoiding some of the most common mistakes. Feel like your rewall

is generating too many daily entries for you to review the logs effectively? well ad-

dress this problem not by reducing the amount of critical data, but by streamlining

and automating the back end process of evaluating it.

But you cant do it all on the wire. A properly layered defense needs to include each

individual host not just the hosts exposed to access from the

Internet, but hosts that have any kind of direct or indirectInternet communication capability as well. Well start with OS

lockdown techniques and move on to third party tools that

can permit you to do anything from sandbox insecure appli-

cations to full-blown application policy enforcement.

Most signicantly, Ive developed this course material

using the following guiding principles: Learn the

process, not just one specic product; You learn

more by doing so hands-on problem-solving is

key; Always peel back the layers and identify

the root cause. While technical knowledge is

important, what really matters are the skills

to properly leverage it. This is why the course

is heavily focused on problem solving and root

cause analysis. While these are usually con-

sidered soft skills, they are vital to being an

effective role of security architect. So

along with the technical training,

youll receive risk management

capabilities and even a bit of

Zen empowerment.

Chris Brenton is a private consultant with over ten years of experience in the eld. He is one of the founding members ofthe initial Honeynet Project, one of the original Internet Storm Center handlers, and started up one of the rst managedsecurity ISPs. Over the years, hes been credited with the discovery of numerous vulnerabilities in various softwareproducts. Along with being a published author, Chris is responsible for maintaining all of the material in the SANSPerimeter Protection In-Depth course. In his spare time, Chris teaches rally and high-speed o road security driving wherehe can be found teaching students to make their side window the front of the car.



12/40

Who Should Register

Intrusion detection analysts(all levels)

Network engineers

System, security, and networkadministrators

Hands-on security managers

Individuals with operationalresponsibility or a rewall, VPN,or Internet-acing device

Get GCIA Certied

wwwgiacorg

WithSANSOnDemand,

studentsreceive: Four months o access to our 24/7

online training and integratedassessment quizzes





Progress reports

Intrusion Detection In-DethS E C U R I T Y


Mike Poor is a founder and senior security analyst for the DC rm Inguardians, LLC. In his recent past life he has worked

for Sourcere as a research engineer and for the SANS Institute leading their Intrusion Analysis Team. As a consultant,

Mike conducts forensic analysis, penetration tests, vulnerability assessments, security audits, and architecture reviews.

His primary job focus, however, is in intrusion detection, response, and mitigation. Mike currently holds both GSEC and

GCIA certications and is an expert in network engineering and systems, network, and Web administration. Mike is

a contributing author of the international best selling book Snort 2.1 from Syngress and is a handler for the Internet

Storm Center.

Learnpractical,hands-onintrusiondetectionandtrafc

analysisromtoppractitioners/authorsinthefeld.

This is the most advanced program in network intrusion detection that

has ever been taught. All of the course material is either new or just

updated to reect the latest attack patterns. This series is jam-packed

with network traces and analysis tips. The emphasis is on increasing

students understanding of the workings of TCP/IP and Hex, methods of

network trafc analysis, and one specic network intrusion detection

systemSnort. This course is not a comparison or demonstration of

multiple NIDS. Instead, the knowledge/information provided here allows

students to better understand the qualities that go into a sound NIDS

and the whys behind them, and thus, to be better equipped to make a

wise selection for their sites particular needs.

This is a fast-paced course and students are expected to have a basic

working knowledge of TCP/IP (see: www.sans.org/training/tcpip_quiz.

php) in order to fully understand the topics that will be discussed.

Although others may benet from this course, it is most appropriatefor students who are or who will become intrusion detection analysts.

Students generally range from novices with some TCP/IP background

all the way to seasoned analysts. The challenging, hands-on exercises

are specially designed for all experience levels. We strongly recommend

that you spend some time getting familiar with TCPdump,

WINdump, or another network analyzer output before

coming to class.

PEEISITEYoumustpossessatleastaworking

knowledgeoTCP/IPandHex.See

www.sans.org/training/tcpip_quiz.phptotestyourTCP/IPandHexbasicsknowledge.

CNDAnalystortheDepartmento

DeenseBaselineCertifcationor8570

10 To register or get more information, visit www.sans.org/OnDemand e-mail:[email protected] Phone: 301-654-7267


13/40

IyourorganizationhasanInternetconnectionor

adisgruntledemployee(andwhosedoesnt!),yourcomputersystemswillgetattacked.

From the ve, ten, or even one hundred daily probes against your Inter-

net infrastructure, to the malicious insider slowly creeping through your

most vital information assets, to the spyware your otherwise wholesome

users inadvertently downloaded, attackers are targeting your systems

with increasing viciousness and stealth.

By helping you understand attackers tactics and strategies in detail, giv-

ing you hands-on experience in nding vulnerabilities and discovering

intrusions, and equipping you with a comprehensive incident handling

plan, the in-depth information in this course helps you turn the tables on

computer attackers. This course addresses the latest cutting-edge insidi-

ous attack vectors, the oldie-but-goodie attacks that are still so prevalent,

and everything in between.

Instead of merely teaching a few hack attack tricks, this course includes

a step-by-step process for responding to computer incidents; a detailed

description of how attackers undermine systems so you can prepare,

detect, and respond to them; and a hands-on workshop for

discovering holes before the bad guys do. This workshop

also includes the unique SANS Capture-the-Flag event on

the last day where you will apply your skills to match wits

with your fellow students and instructor in a fun and en-

gaging learning environment. Youll get to attack the

systems in our lab and capture the ags to help

make the lessons from the whole week more con-crete. Additionally, the course explores the legal

issues associated with responding to computer

attacks including employee monitoring, working

with law enforcement, and handling evidence.

Itisimperativethatyougetwrittenpermissionrom

theproperauthorityinyourorganizationbeore

usingthesetoolsandtechniquesonyour

companyssystemandalsothatyou

adviseyournetworkandcomputer

operationsteamsoyourtesting.

Who Should Register

Members and leaders o incident

handling teams

System administrators and

security personnel

Ethical hackers/penetrationtesters who want to understand

the concepts underlying their

testing regimen

Get GCIH Certied

wwwgiacorg






E-mail access toOnDemand virtual

mentors Progress reports

CNDIncidentesponderortheDept.o

DeenseBaselineCertifcationor8570

Ed Skoudis is a founder and senior security consultant with InGuardians. Eds expertise includes hacker attacks anddefenses, the information security industry, and computer privacy issues, with over fteen years of experience in informa-tion security. Ed authored and regularly teaches the SANS courses on network penetration testing (SEC560) and incidentresponse (SEC504), helping over three thousand information security professionals each year improve their skills and abili-ties to defend their networks. He has performed numerous security assessments; conducted exhaustive anti-virus, anti-

spyware, Virtual Machine, and IPS research; and responded to computer attacks for clients in nancial, high technology,healthcare, and other industries. Ed conducted a demonstration of hacker techniques against nancial institutions forthe United States Senate and is a frequent speaker on issues associated with hacker tools and defenses. He has publishednumerous articles on these topics as well as the Prentice Hall best sellers Counter Hack ReloadedandMalware: FightingMalicious Code. Ed was also awarded 2004-2009 Microsoft MVP awards for Windows Server Security and is an alumnus ofthe Honeynet Project. Previous to InGuardians, Ed served as a security consultant with International Network Services(INS), Global Integrity, Predictive Systems, SAIC, and Bell Communications Research (Bellcore).

S E C U R I T Y


Hacker echniques, loits, andIncident Handling

To register or get more information, visitwww.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-7267 11


14/40

S E C U R I T Y


Who Should Register

Windows network securityengineers and architects

Windows administrators withsecurity duties

Anyone with Windows machineswho wants to implement theSANS 20 Critical Security Controls

Active Directory designers andadministrators

Those who must enorce securitypolicies on Windows hosts

Those deploying or managing aPKI or smart cards

IIS administrators and Web mas-ters with Web servers at risk

Administrators who use the com-mand line or scripting to auto-mate their duties and must learnPowerShell (the replacement orCMD scripting and VBScript)

Get GCWN Certied

wwwgiacorg







Progress reports

Jason Fossen is a principal security consultant at Enclave Consulting LLC, a published author, and a frequent public speakeron Microsoft security issues. He is the sole author of the SANS week-long Securing Windows course (SEC505), maintainsthe Windows day of Security Essentials (SEC401.5), and has been involved in numerous other SANS projects since 1998. Hegraduated from the University of Virginia, received his masters degree from the University of Texas at Austin, and holds anumber of professional certications. He currently lives in Dallas, Texas.

WillyoubetransitioningromWindowsXPtoWindows7?

The Securing Windows course is fully updated for Windows Server

2008-R2 and Windows 7. Most of the content applies to Windows Server2003 and XP too, but the focus is on 2008/Vista/7.

Concerned about the 20 Critical Security Controls of the Consensus Au-

dit Guidelines? This course will help you implement the Critical Controls

relevant to Windows systems, not just audit them, and will walk you

through most of the tools step-by-step too.

As a Windows security expert, how can you stand out from the crowd

and offer management more than the usual apply-this-checklist advice?

Be a security architect who understands the big picture. You can save

your organization money, maintain compliance with regulations, secure

your networks, and advance your career all at the same time. How? By

leveraging the Windows infrastructure youve already paid for.

This program is a comprehensive set of courses for Windows security

architects and administrators. It tackles tough problems like Active

Directory forest design, how to use Group Policy to lock down desktops,

deploying a Microsoft PKI and smart cards, pushing rewall and IPSec

policies out to every computer in the domain, securing public IIS web

servers, and PowerShell scripting.

PowerShell is the future of Windows scripting and automation. Easier to

learn and more powerful than VBScript, PowerShell is an essential tool

for automation and scalable management. And if theres one skill that

will most benet the career of a Windows specialist, its scripting, be-

cause most of your competition lack scripting skills, so its a great way to

make your resume stand out. Scripting skills are also essential for being

able to implement the 20 Critical Security Controls.

You are encouraged to bring a virtual machine running

Windows Server 2008 Enterprise Edition congured asa domain controller, but this is not a requirement for

attendance since the instructor will demo everything

discussed on-screen. You can get a free evaluation ver-

sion of Server 2008 from Microsofts Web site (just do

a Google search on site:microsoft.com Server 2008

trial). You can use VMware, Virtual PC or any

other virtual machine software.

This is a fun and fascinating

course, a real eye-opener even

for Windows administrators with

years of experience. Come see

why theres a lot more to Windows

security than just applying patches

and changing passwords; come see

why a Windows network needs a

security architect.

Securing Windows



15/40

Who Should Register

Security proessionals looking to

learn the basics o securing Unixoperating systems

Experienced administrators

looking or in-depth descriptions

o attacks on Unix systems and

how they can be prevented

Administrators needing

inormation on how to secure

common Internet applications

on the Unix platorm

Auditors, incident responders,

and InoSec analysts who need

greater visibility into Linux and

Unix security tools, procedures,

and best practices

Get GCUX Certied

wwwgiacorg

Hal is founder and CEO of Deer Run Associates, a systems management and security consulting rm. He has spent morethan 15 years managing systems and networks for some of the largest commercial, government, and academic organiza-tions in the country. He is the technical editor forSysAdmin Magazine and was the recipient of the 2001 SAGE OutstandingAchievement award for his teaching and leadership in the eld of system administration. Hal participated in the rst SANStraining program and designed the SANS Step-by-Step course model. He is a top-rated instructor and author on topicsranging from information security to system and network management to Perl programming.

S E C U R I T Y


Experiencein-depthcoverageoLinuxandnixsecurityissues.

Examine how to mitigate or eliminate general problems that apply toall Unix-like operating systems, including vulnerabilities in the password

authentication system, le system, virtual memory system, and applica-

tions that commonly run on Linux and Unix. This course provides specic

conguration guidance and practical, real-world examples, tips, and tricks.

Throughout this course, you will become skilled at utilizing freely available

tools to handle security issues, including SSH, AIDE, sudo, lsof, and many

others. SANS practical approach with hands-on exercises every day

ensures that you can start using these tools as soon as you return to work.We will also put these tools to work in a special section that covers simple

forensic techniques for investigating compromised systems.

Sampling of Topics

Memory attacks, buer overows

File system attacks, race conditions

Trojan horse programs and rootkits

Monitoring and alerting tools

Unix logging and kernel-level auditing Building a centralized logging infrastructure

Network security tools

SSH for secure administration

Server lockdown for Linux and Unix

Controlling root access with sudo

SELinux and chroot() for application security

DNSSEC deployment andautomation

mod_security and Webapplication rewalls

Secure conguration of BIND,Sendmail, Apache

Forensic investigation

Securing Linu/Uni



Four months o access to our 24/7 online training andintegrated assessment quizzes

A ull set o course books and hands-on CDs


Synchronized online courseware and lectures


Progress reports

PEEISITEStudentsmustpossessatleasta

workingknowledgeonix.Most

studentswhoattendthecourse

haveaminimumothreetofveyearsonixsystemadministration

experience.Totestyourknowledge,

seeournixKnowledgeuizat

http://www.sans.org/training/

unix_quiz.php.


16/40


Who Should Register

Oracle database administrators

responsible or installation andmanagement o Oracle databases

Developers who wish to create

secure data access applications

and Web sites

Security proessionals who are

concerned about the secu-

rity o their organizations Oracle

databases

Auditors and penetration testers

who need to evaluate the security

o Oracle databases

Security managers who need to

understand the security risks with

data held in an Oracle database

Securing OracleS E C U R I T Y


Tanya Baccam is a senior SANS instructor as well as a SANS courseware author. She also provides many security consulting

services, such as system audits, vulnerability and risk assessments, database assessments, Web application assessments,

and penetration testing. She has previously worked as the director of assurance services for a security services consultingrm, as well as manager of infrastructure security for a healthcare organization. She also served as a manager at Deloitte

& Touche in the Security Services practice. Throughout her career she has consulted with many clients about their security

architecture, including areas such as perimeter security, network infrastructure design, system audits, Web server security,

and database security. She has played an integral role in developing multiple business applications and currently holds the

CPA, GCFW, GCIH, CISSP, CISM, CISA, CCNA, CCSE, CCSA, and Oracle DBA certications.

ExpertsagreethatOracleisoneothemostcomplexsotwarepackagesavailabletoday.

Unfortunately, complexity often introduces an increased risk forvulnerabilities. These vulnerabilities are being increasingly targeted by

attackers. It is not uncommon for the SANS Internet Storm Center to see

hundreds of thousands of hack attempts against Oracle databases each

month.

SANS recognizes the need for comprehensive Oracle security training

to help organizations protect their most critical information resources.

In this course, the student is lead through the process of auditing and

securing Oracle by dening the risks to data, using auditing techniquesfor detecting unauthorized access attempts, using Oracle access controls

and user management functions, and developing reliable backup and

restore processes and techniques to secure the Oracle database, as well

as applications.

Throughout the course the student will be exposed to the database as

seen through the eyes of an attacker, including public and unreleased

techniques that are used to compromise the integrity of the database

or escalate a users privileges. In this fashion, the student gains a betterunderstanding of how an attacker sees a database as a target and

how we can congure the database to be resistant to known and

unknown attacks.

This course has been updated for versions of Oracle up to and

including 11g on Unix and Windows operating systems.



Four months o access to our 24/7 online training and integratedassessment quizzes

A ull set o course books and hands-on CDs




Progress reports


17/40


Who Should Register

General security practitioners

Web site designers and

architects

Developers

Get GWAPT

Certied

wwwgiacorg


Four months o access toour 24/7 online training andintegrated assessment quizzes





Progress reports

Web A penetrationesting and thical Hacking

S E C U R I T Y


Kevin Johnson is a senior security analyst with InGuardians. Kevin came to security from a development and system-administration background. He has many years of experience performing security services for Fortune 100 companies,and in his spare time contributes to a large number of open-source security projects. Kevin founded and leads thedevelopment on the Basic Analysis and Security Engine (BASE) project, the most popular Web interface for the Snortintrusion detection system. Kevin is an instructor for SANS, teaching both SEC504: Hacker Techniques, Exploits, andIncident Handling and SEC542: Web App Penetration Testing and Ethical Hacking. He has presented to many organizations,including Infragard, ISACA, ISSA, and the University of Florida.

AssessYourWebAppsinDepth

Web applications are a major point of vulnerability in organizations today.

Web app holes have resulted in the theft of millions of credit cards, majornancial and reputational damage for hundreds of enterprises, and even

the compromise of thousands of browsing machines that visited Web

sites altered by attackers. In this class, well learn the art of exploiting Web

applications so we can nd aws in our enterprises Web apps before the

bad guys do. Through detailed, hands-on exercises and training from a

seasoned professional, we will learn the four-step process for Web ap-

plication penetration testing. We will inject SQL into back-end databases

to learn how attackers exltrate sensitive data. We will use Cross-Site

Scripting attacks to dominate a target infrastructure in our unique hands-

on laboratory environment. And, we will explore various other Web app

vulnerabilities in depth with tried-and-true techniques for nding them

using a structured testing regimen. We will learn the tools and methods of

the attacker so that you can be a powerful defender.

We will study the attackers view of the Web and analyze the art of

reconnaissance, specically targeted to Web applications. We will also

examine the mapping phase when we interact with a real application

to determine its internal structure. In the discovery phase well focus on

client-side portions of the application, such as Flash objects and Java

applets. We then move into the nal stage, exploitation, using advanced

methods to gain further access within the application and wrapping

things up with a walk-through of an entire attack scenario. Students will

learn methods of combining various attacks to better gauge

the business impact of application vulnerabilities.

Throughout the class, we will learn the context behind the

attacks so that you understand the real-life applications

of our exploitation. In the end, we will be able to

assess your own organizations Web applications

to nd some of the most common and

damaging Web app vulnerabilities. By knowing

your enemy, you can defeat your enemy.

General security practitioners as well as Web

site designers, architects, and developers will

benet from learning the practical art of Web

application penetration testing.



18/40


Who Should Register

Penetration testers

Ethical hackers Auditors who need to build deeper

technical skills

Security personnel whose jobinvolves assessing target networks

and systems to nd security

vulnerabilities

Get GPEN Certied

wwwgiacorg





Synchronized onlinecourseware andlectures

E-mail accessto OnDemandvirtual mentors

Progress reports

Network penetration estingand thical Hacking

S E C U R I T Y


Ed Skoudis is a founder and senior security consultant with InGuardians. Eds expertise includes hacker attacks anddefenses, the information security industry, and computer privacy issues, with over fteen years of experience in informa-tion security. Ed authored and regularly teaches the SANS courses on network penetration testing (SEC560) and incidentresponse (SEC504), helping over three thousand information security professionals each year improve their skills and abili-ties to defend their networks. He has performed numerous security assessments; conducted exhaustive anti-virus, anti-

spyware, Virtual Machine, and IPS research; and responded to computer attacks for clients in nancial, high technology,healthcare, and other industries. Ed conducted a demonstration of hacker techniques against nancial institutions forthe United States Senate and is a frequent speaker on issues associated with hacker tools and defenses. He has publishednumerous articles on these topics as well as the Prentice Hall best sellers Counter Hack ReloadedandMalware: FightingMalicious Code. Ed was also awarded 2004-2009 Microsoft MVP awards for Windows Server Security and is an alumnus ofthe Honeynet Project. Previous to InGuardians, Ed served as a security consultant with International Network Services(INS), Global Integrity, Predictive Systems, SAIC, and Bell Communications Research (Bellcore).

FindSecurityFlawsBeoretheBadGuysDo.

Security vulnerabilities, such as weak congurations, unpatched systems,

and botched architectures, continue to plague organizations. Enterprisesneed people who can nd these aws in a professional manner to help

eradicate them from our infrastructures. Lots of people claim to have

penetration testing, ethical hacking, and security assessment skills, but

precious few can apply these skills in a methodical regimen of professional

testing to help make an organization more secure. This class covers the

ingredients for successful network penetration testing to help attendees

improve their enterprises security stance.

We address detailed pre-test planning, including setting up an effective

penetration testing infrastructure and establishing ground rules with thetarget organization to avoid surprises and misunderstanding. Then we

discuss a time-tested methodology for penetration and ethical hacking

across the network, evaluating the security of network services and the

operating systems behind them.

Attendees will learn how to perform detailed reconnaissance, learning

about a targets infrastructure by mining blogs, search engines, and social

networking sites. Well then turn our attention to scanning, experimenting

with numerous tools in hands-on exercises. Our exploitation phase will

include the use of exploitation frameworks, stand-alone exploits, and

other valuable tactics, all with hands-on exercises in our lab en-

vironment. The class also discusses how to prepare a nal report

tailored to maximize the value of the test from both a manage-

ment and technical perspective. The nal portion of the class in-

cludes a comprehensive hands-on exercise in which students will

conduct a penetration test against a hypothetical target

organization following all of the steps.

The course also describes the limitationsof penetration testing techniques

and other practices that can be used

to augment penetration testing to nd

vulnerabilities in architecture, policies, and

processes. We address how penetration testing should

be integrated as a piece of a comprehensive enterprise

information security program.

ttendees are expected t have a wrking

knwledge f CP/P; cryptgraphic rutines,

such as D, , and mD5; and the

Windws and inux cand lines

befre they step int class.



19/40


Who Should Register

Security proessionals who

are concerned about the

weaknesses o wirelessnetworks

Penetration testers who want

to include wireless network

security assessments in their

organizations services oerings

Auditors who must evaluate

wireless networks to ensure

they meet an acceptable level

o risk and are compliant withorganizational policy

Get GAWN

Certied

wwwgiacorg


Four months o access to

our 24/7 online training andintegrated assessment quizzes





Progress reports

Wireless thical Hacking,penetration esting, and Deenses

S E C U R I T Y


Joshua Wright is a senior security analyst with InGuardians, LLC and a senior instructor with the SANS Institute. A widely

recognized expert in the wireless security eld, Josh has worked with private and government organizations to evaluate

the threat surrounding wireless technology. As an open-source enthusiast, Josh has developed a variety of tools that

can be leveraged for penetration testing and security analysis. Prior to joining InGuardians, Josh was the senior security

researcher for Aruba Networks, leading a team committed to signicantly improving the security of modern networks. In

his spare time, Josh looks for any opportunity to void the warranty on wireless electronics.

Wirelesstechnologyundamentallychangesacceptedsecurityparadigms.

With the pervasive deployment of wireless technology, attackers havelatched on with sophisticated and effective techniques to exploit wireless

systems at work, at home, or on the road. Despite the signicant threats,

organizations are deploying WiFi, Bluetooth, and proprietary wireless

technology at a breakneck pace. This can expose internal networks and

client systems, often allowing attackers to bypass intrusion detection

systems and other defenses.

To be a wireless security expert, you need to have a comprehensive un-

derstanding of the technology, the threats, the exploits, and the defensetechniques along with hands-on experience in evaluating and attacking

wireless networks. This course takes an in-depth look at these elds, ex-

posing you to wireless security threats through the eyes of an attacker.

Using readily available and custom-developed tools, youll navigate

your way through the techniques attackers use to exploit WiFi networks,

including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other systems.

Well also examine the commonly overlooked threats associated with

Bluetooth, WiMAX, and proprietary wireless systems. With the SWATtoolkit, well back up the course content with hands-on labs and practical

exercises designed to reinforce the course concepts.

Through the use of assessment and analysis techniques, this course will

show you how to identify the threats that expose

wireless technology, building on this knowledge to

identify defensive techniques that can be used to

protect wireless resources.

The SWAT Toolkitconsists of:

Powerful AirPcap TX wireless USB

adapter for Windows and Linux

systems USB Global Positioning

System (GPS) adapter High-power

Bluetooth interface All software

and tools used in lab exercises



20/40


Who Should Register

Incident handlers looking to take

the next step in understanding

exploitation in its most technical

orm

Network and system security pro-

essionals looking to understand

the methods used to write exploit

code and discover vulnerabilities

Programmers and code review

engineers looking to understand

the threat o exploitation and how

to write Proo o Concept (POC)code to demonstrate exploitation

techniques

Certication-holders looking to

improve and put their practical

knowledge to the test

Anyone looking to build credibility

and take a technical course onadvanced hacking techniques





Synchronized online courseware

and lectures E-mail access to OnDemand

virtual mentors

Progress reports

Develoing xloits or penetrationesters and Security esearchers

S E C U R I T Y


Stephen Sims is an information security consultant currently working for Wells Fargo in San Francisco, California. He

has spent the past eight years in San Francisco working for several large nancial institutions on network and systemssecurity, penetration testing, exploitation development, and risk assessment and management. Prior to San Francisco,Stephen worked in the Baltimore/DC area as a network security engineer for companies such as General Motors and SylvanPrometric. He is one of only a handful of individuals who holds the GIAC Security Expert (GSE) Certication and also helpsto author and maintain the current version of the exam. He is a SANS certied instructor and the course author of SANSrst and only 700-level course, SEC709: Developing Exploits for Penetration Testers and Security Researchers. Stephen alsoholds the CISSP, CISA, and Network Oense Professional (NOP) certications, amongst others.

Zero-dayvulnerabilitiesarebeingdiscoveredmorere-quently,andmaliciouscomputerattackersareconstantlytryingtoexploitthem.

But when a new aw is discovered, it is often difcult to determine

whether it is truly exploitable, making an analysis of business risk difcult,

if not impossible. Things get even murkier when the aw is discovered

in home-grown applications supporting an enterprise. Yet until now,

only a small, self-selected, high-tech priesthood of security researchers

have had the skills to determine whether a given aw can lead directly to

exploitation.

Do you want to join the skilled security researcher elite and stop relying

on others to nd your applications vulnerabilities and start writing yourown Proof of Concept (POC) code? Do you want the skills to be part of

the security researcher priesthood?

In this course we bridge the gaps and take a step-by-step look at Linux

and Windows operating systems and how exploitation truly works under

the hood. This ve-day course rapidly progresses through exploitation

techniques used to attack stacks, heaps, and other memory segments

on Linux and Windows. This is a fast-paced course that provides you

with the skills to hit the ground running with vulnerability research. We

end the course with a Capture the Flag (CTF) exercise requiring you to

discover and exploit vulnerabilities on remote systems.

Attendees can apply the skills developed in this class to create and

customize exploits for penetration tests of homegrown software

applications and newly discovered aws in widespread

commercial software. Understanding the process of

exploit development can help enterprises analyze

their actual business risks better than the ambiguous

hypotheticals we often contend with in most traditionalvulnerability assessments.

This course is not for the faint of heart or those

with modest skills. It provides leading-edge skills

for the best technical security professionals,

security researchers, and pen testers. If you

are able to absorb it, the knowledge gained

throughout the course will help you write

custom exploits to gain privileged system

access and determine the real risk to your

business. Precompiled exploits wont help

you here!



21/40


Who Should Register

Inormation technology proes-sionals who wish to learn core

concepts in computer orensicsinvestigations and e-discovery

Law enorcement ofcers, ederalagents, or detectives who desireto be introduced to core orensictechniques and topics

Inormation security managerswho need a digital orensicsbackground in order to manageinvestigative teams and under-

stand the implications o potentialligation-related issues

Inormation technology lawyersand paralegals who need tounderstand the basics o digitalorensic investigations

Anyone interested in computerorensic investigations with somebackground in inormationsystems, inormation security, and

computers


4-months access to our 24/7online training and integratedassessment quizzes

A ull set o course booksand hands-on CDs

Labs & hands-on

exercises Synchronizedonline coursewareand lectures

E-mail accessto OnDemandvirtual mentors

Progress reports

Comuter forensic ssentialsF O R E N S I C S


Rob Lee is a director for MANDIANT (www.mandiant.com). Rob is the curriculum lead for digital forensic training at the

SANS Institute (forensics.sans.org ). He has over 13 years of experience in computer forensics, vulnerability and exploit

discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and

served in the Air Force as a founding member of the 609th Information Warfare Squadron, the rst U.S. military unit

focused on information operations. Later, as a member of the Air Force Oce of Special Investigations, he conducted

computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, he worked with avariety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the

technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for

a computer forensic and security software development team. Rob coauthored Know Your Enemy, 2nd Edition. He earned

his MBA from Georgetown University in Washington DC. Rob was awarded the Digital Forensic Examiner of the Year from

the Forensic 4Cast 2009 Awards.

Mastercomputerorensics.Learnessentialinvestigationtechniques.

With todays ever-changing technologies and environments, it is inevi-

table that organizations will deal with some form of cyber crime such

as computer fraud, insider threat, industrial espionage or phishing. As a

result, many organizations are hiring digital forensic professionals and are

callling cybercrime law enforcement agents to help ght and solve these

types of crime

SEC408: Computer Forensic Essentials focuses on the essentials that a

forensic investigator must know to investigate core computer crime inci-

dents successfully. You will learn how computer forensic analysts focus on

collecting and analyzing data from computer systems to track user-basedactivity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer

forensic methodology so that each student will have the complete quali-

cations to work as a computer forensic investigator in the eld helping

solve and ght crime. This course is the rst course in the SANS Computer

Forensic Curriculum. If this is your rst computer forensics course with

SANS, we recommend that you take this introductory course rst to set a

strong foundation for the full SANS Computer Forensic Curriculum.

FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.

Withthiscourse,youwillreceiveaFEESANSInvestigative

ForensicToolkit(SIFT)Essentials

As a part of this course you will receive a SANS Investigative

Forensic Toolkit (SIFT) Essentials with a Tableau Write Block

Acquisition Kit. The entire kit will enable each investigator

to accomplish proper and secure examinations of SATA,

IDE, or Solid State Drives (SSD). The toolkit consists of:

Free SANS Investigative Forensic Toolkit (SIFT)- One Tableau T35es eSATA Forensic Bridge

- IDE Cable/Adapters

- SATA Cable/Adapters

- FireWire and USB Cable Adapters

- Forensic Notebook Adapters (IDE/SATA)

- HELIX Incident Response and Computer Forensics Live CD

SANS Windows XP Forensic Analysis VMwareWorkstation

Course DVD: Loaded withcase examples, tools, anddocumentation



22/40

16 To register or get more information, visit www.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-726712 To register or get more information, visit www.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-7267

Who Should Register

Incident response team membersresponding to complex security inci-

dents/intrusions and need computerorensics to help solve their cases

Computer orensic proessionals whowant to solidiy and expand theirunderstanding o le system orensicand incident response related topics

Law enorcement ofcers, ederalagents, or detectives who wantto master computer orensics andexpand their investigative skill set toinclude data breach investigations,

intrusion cases

Inormation security proessionalswith some background in hackerexploits, penetration testing, andincident response

Inormation security managers whowould like to master digital orensicsto understand inormation securityimplications and potential litigationor manage investigative teams

Get GCFA Certied

wwwgiacorg

Rob Lee is a director for MANDIANT (www.mandiant.com). Rob is the curriculum lead for digital forensic training at the

SANS Institute (forensics.sans.org ). He has over 13 years of experience in computer forensics, vulnerability and exploit

discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and

served in the Air Force as a founding member of the 609th Information Warfare Squadron, the rst U.S. military unit

focused on information operations. Later, as a member of the Air Force Oce of Special Investigations, he conducted

computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, he worked with a

variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the

technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for

a computer forensic and security software development team. Rob coauthored Know Your Enemy, 2nd Edition. He earned

his MBA from Georgetown University in Washington DC. Rob was awarded the Digital Forensic Examiner of the Year from

the Forensic 4Cast 2009 Awards.

npatched,unprotectedcomputersconnectedtotheInternetcanbecompromisedinlessthanthreedays.

In the commercial sector, TJ Maxx, Hannaford, and TD Ameritrade are victims of

large-scale data breaches and intrusions. Personal or account information of

more than 100 million individuals has been compromised. In the government

sector, cyber attacks on government agencies and contractors, originating

from China, have proved difcult to suppress. In both situations, incident re-

sponse and mitigation, class action lawsuits, and nes place remediation costs

in the billions of dollars.

This course will give you a rm understanding of computer forensics tools and

techniques to investigate data breach intrusions, tech-savvy rogue employees,

advanced persistent threats, and complex digital forensic cases. Utilizing ad-

vances in spear phishing, Web application attacks, and persistent malware, thesenew sophisticated attackers advance rapidly through your network. Forensic in-

vestigators must master a variety of operating systems, investigation techniques,

incident response tactics, and even legal issues in order to solve challenging

cases. SEC508 will teach you critical forensic analysis techniques and tools in a

hands-on setting for both Windows- and Linux-based investigations.

We will examine various investigation methodologies and techniques, discov-

ering new places to nd evidence and discover the tracks of a cyber criminal

or hacker, who is trying to stay hidden inside your network. You will be able to

demonstrate how forensic tools function and become skilled with new tools,

such as the Sleuthkit, Foremost, and the HELIX3 Pro Forensics Live CD. SANS

hands-on technical course arms you with a deep understanding of

the forensic methodology, tools, and techniques to solve advanced

computer forensics cases.

FIGHT CRIME. UNRAVEL INCIDENTS ONE BYTE AT A TIME. We not

only teach a rm understanding of the computer forensics tools

and techniques, we also teach you the legally approved forensic

methodology that will result in success.

FEESANSInvestigativeForensicToolkit(SIFT)Advanced


Comuter forensics,Investigation, and esonse

F O R E N S I C S


The SIFTKitAdvancedconsists of:

Hard Drive USB mini adapter kit for SATA/IDE hard drives1.8/2.5/3.5/5.25

SANS VMware based Forensic Analysis Workstation

Course DVD loaded with case examples, tools, anddocumentation

Best-selling book File System Forensic Analysisby Brian Carrier

New Addition! The SIFT Kit Advanced will

now include a single version Helix3 Prothat will be individually licensed to

each student.


23/40

To register or get more information, visit www.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-7267 17To register or get more information, visit www.sans.org/OnDemand e-mail: [email protected] Phone: 301-654-7267 13

Who Should Register

Anyone whose job requires anunderstanding o key aspects o

malicious programs Individuals with responsibilities

in incident handling, orensicanalysis, Windows security, andsystem administration

Individuals responsible orsupporting their organizationsinternal security needs

Engineers rom security productand service companies who are

looking to deepen their malwareanalysis expertise

Get GREM Certied

wwwgiacorg


4-months access to our 24/7online training and integratedassessment quizzes

A ull set o course booksand hands-on CDs

Labs & hands-on exercises



Progress reports

Reverse-Engineering Malware:Malware Analysis Tools and Techniques

F O R E N S I C S


Lenny Zeltser leads the security consulting practice at Savvis. He is also a Board of Directors member at SANS TechnologyInstitute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on

information security and related business topics at conferences and private events, writes articles, and has co-authored

several books. Lenny is one of the few individuals in the world who has earned the highly-regarded GIAC Security Expert

(GSE) designation. He also holds the CISSP certication. Lenny has an MBA degree from MIT Sloan and a Computer Science

degree from the University of Pennsylvania. For more information about his projects, see www.zeltser.com.

Expandyourcapacitytofghtmaliciouscodebylearninghowtoanalyzebots,worms,andtrojans.

This popular four-day course discusses practical approaches to examining

Windows malware using a variety of monitoring utilities, a disassembler,

a debugger, and other tools useful for reverse-engineering malicious

software. You dont have to be a full-time malware searcher to benet

from this courseas organizations increasingly rely on their staff to act as

rst responders during a security incident, malware analysis skills become

increasingly important.

By covering both behavioral and code analysis approaches, this unique

course provides a rounded approach to reverse-engineering. As a result,

the course makes malware analysis accessible even to individuals with alimited exposure to programming concepts. The materials do not assume

that the students are familiar with reverse-engineering; however, the

difculty level of concepts and techniques increases quickly as the course

progresses.

In the rst half of the course, you will learn how to set up an inexpensive

and exible laboratory for understanding inner-workings of malware,

and demonstrate the process by exploring capabilities of real-world

specimens. You will learn to examine the programs behavioral patterns

and assembly code, and study techniques for bypassing common codeobfuscation mechanisms. The course also explores how to analyze

browser-based malware.

In the second half of the course, you will review key assembly language

concepts. You will learn to examine malicious code to understand its ow

by identifying key logic structures, looking at examples of bots,

rootkits, key loggers, and so on. You will understand how to

work with PE headers and handle DLL interactions. You will

also develop skills for analyzing self-defending malware

through advanced unpacking techniques and bypassing

code-protection mechanisms. Finally, you will discover

how to bypass obfuscation techniques employed by

browser-based malicious scripts.

Hands-on workshop exercises are an essential

aspect of this course, and allow you to apply

reverse-engineering techniques by examining

malicious code in a carefully-controlled

environment. When performing the analysis, youwill study the supplied specimens behavioral

patterns, and examine key portions of its

assembly code.

REM course on YouTube

http://wwwyoutubecom/

watch?v=5AFdZ0v23YA



24/40

Who Should Register

ISOs

ISSMs

Management proessionals

considering or implementing

ISO/IEC 27000 standard

Auditors

Get G7799 Certied

wwwgiacorg





Synchronized online

courseware and lectures E-mail access to OnDemand

virtual mentors

Progress reports

With more than twenty years of experience, David Hoelzer has served in positions ranging from the highly technical to

senior management for a variety of organizations. For the last ten years, David has been the director of research forCyber-Defense and the principal examiner for Enclave Forensics. In addition to day-to-day responsibilities, he has acted

as an expert witness for the Federal Trade Commission and continues to teach at major SANS events, teaching security

professionals from organizations including NSA, USDA Forest Service, Fortune 500 security engineers and managers,

DHHS, various DoD sites, national laboratories, and many colleges and universities. From time to time David also speaks

nationally and internationally on various security topics.

TheInternationalStandardsOrganization(ISO)hasrecentlyrevisedwhathasbecomethedeactodocumentorcreatingandmaintainingasecureenterprise,todayknownastheISO

Brochure Sans

Documents

Transcript of Brochure Sans