You are on page 1of 12

Course Syllabus

Collapse All

Course Contents

AUD507.1: Effective Auditing, Risk Assessment, Reporting

Laptop Required
After laying the foundation for the role and function of an auditor in the information
security field, this day's material will give you two extremely useful risk assessment
methods that are particularly effective for measuring the security of enterprise systems,
identifying control gaps and risks, and assisting you to recommend additional
compensating controls to address the risk. Nearly a third of the day is spent covering
important audit considerations and questions when dealing with virtualization and with
Cloud Computing.
In today's information security world, most enterprises are either already moving toward
or seriously considering moving toward compliance with any number of a variety of
security standards that represent best practice. Is your organization doing this today? Are
you running up against any road blocks? Despite implementing controls, are you still
dealing with significant compliance problems? The risk assessment discussions covered
in this material is for you. One of the key topics covered in this material is an effective risk
based method for the specification or selection of controls. Following this discussion, you
will be able to analyze an existing set of controls, a business process, an audit exception
or a security incident, identifying any missing or ineffective controls. More importantly,
perhaps, you will be able to easily identify what corrective actions will eliminate the
problem in the future. Included in this material is a tried and true method for conducting
audits and presenting findings that will assist the organization to move toward
compliance effectively.
The last two sections of the day are spent digging into virtualization solutions. After first
examining some of the huge issues and the biggest questions facing us when it comes to
Cloud Computing, we dig into significant audit considerations when dealing with the
market leader in private cloud implementations and enterprise virtualization solutions:
CPE/CMU Credits: 6

Auditor's Role in Relation to

Policy Creation

Policy Conformance

Incident Handling

Basic Auditing and Assessing Strategies


Time Based Security

Thinking like an Auditor

Developing Auditing Checklists from Policies and Procedures

Effective risk assessment

Risk Assessment

Standards Adoption

Identifying Existing Controls

Determining Root Failure Causes

Using Risk Assessment to Specify New Controls

The Six-Step Audit Process

How the Steps Interrelate

How to Effectively Conduct an Audit

How to Effectively Report the Findings

Virtualization & Cloud Computing



Important contractual requirements

Technical testing of deployments

AUD507.2: Effective Network & Perimeter Auditing / Monitoring

Laptop Required
Enterprise networks are under constant assault. A key foundation in the security of our
enterprise is created by ensuring that we have a validated secure perimeter. As easy as
this is to say, organizations struggle with this constantly. Forces such as wireless
technologies, enterprise VPNs, business partner connections, BYOD policies and more
can all erode the security of our perimeter networks.
In this day we will build from the ground up, dealing with security controls, proper
deployment, effective auditing continuous monitoring of configuration from Layer 2 all the
way up the stack. Students will learn how to identify insecurely configured VLANs, how to
determine perimeter firewall requirements, how to examine enterprise routers and much
Each topic is placed into a risk driven framework for securing a network long term and
discussed in the context of a real security organization. What role does the security
officer play? How do we reconcile security concerns with operational requirements? What
questions should a security auditor be asking? What should the answers to those
questions be? How does continuous monitoring fit in and how do you architect those
Many students describe this as the most difficult day of the entire course but the day that
fills in all of the gaps that they have in networking technology, whether fundamentals,
routers, switches, wireless or firewalls.
CPE/CMU Credits: 6

Specific topics covered include:

Secure Layer 2 Configurations


Spanning Tree

Network Trunking

Switching Fiber Security

Router & Switch Configuration Security

Remote Administration

Logging Concerns and Practice

ACL Configuration & Validation

User Management

Evolving Technologies

Firewall Auditing, Validation & Monitoring

Information Flow Diagramming

Converting Requirements to ACLs

Understanding Firewall Design

Network Architecture Validation

Rules Review& Analysis

Technical Validation of the Firewall Rules

Next Generation Firewalls


Secure Deployments Today

Identification of Wireless Security Issues

Network Population Monitoring

Robust Process for Node Identification

Network Population Change Management & Monitoring

Automated Notification Processes

Vulnerability Scanning

Effective Scanning

Effective, Business Aligned, Reporting

AUD507.3: Web Application Auditing

Laptop Required
Web Applications have consistently rated one of the top five vulnerabilities that
enterprises face for the past several years. Unlike the other top vulnerabilities, however,
our businesses continue to accept this risk since most modern corporations need an
effective web presence to do business today. One of the most important lessons that we
are learning as an industry is that installing an application firewall is not enough!
A portion of the morning will cover all of the underlying principles of web technology and
introduce a set of tools that can be used to validate the security of these applications.
Throughout the day, all of the OWASP Top Ten issues will be addressed, abstracted into
five practical principles of web application design and deployment. The majority of the
day will be spent building and working through a checklist for validating the existence and
proper implementation of controls to mitigate the primary threats found in web
applications through the use of cutting edge techniques and advanced testing methods.
Throughout the material time is spent identifying key development requirements, allowing
you to provide meaningful feedback into your organization's coding standards.
Several discrete web applications will be examined using these tools and the audit
program developed. By the end of the day each student will use the provided high level
checklist and detailed instructions throughout the day to perform a comprehensive
validation of security controls in at least one full web application.

CPE/CMU Credits: 6

In addition to designing an audit testing program, time will be spent discussing process
remediation for project managers and coding teams.

Identify controls against information gathering attacks

Process controls to prevent hidden information disclosures

Control validation of the user sign-on process

Examining controls against user name harvesting

Validating protections against password harvesting

Best practices for OS and web server configuration

How to verify session tracking and management controls

Identification of controls to handle unexpected user input

Server-side Techniques for Protecting Your Customers and Their Sensitive Data

AUD507.4: Advanced Windows Auditing & Monitoring

Laptop Required
Microsoft's business class system make up a large part of the typical IT infrastructure.
Quite often, these systems are also the most difficult to effectively secure and control
because of the enormous number of controls and settings within the operating system.
This class gives you the keys, techniques and tools to build an effective long term audit
program for your Microsoft Windows environment. More importantly, during the course a
continuous monitoring and reporting system is built out, allowing you to easily and
effectively scale the testing discussed within your enterprise when you return home.
During the course of this day, attendees will have the opportunity to perform a thorough
hands on audit of Active Directory servers in class, in addition to the laptop that they

bring to class. In addition to covering all of the major audit points in a stand alone
Windows system, the course will scale these methods for use within a domain. One of
the primary goals of the material presented is to allow the auditor to get away from
checking registry settings, helping administrators to create a comprehensive
management process that automatically verifies settings. With this type of system in
place, the auditor can step back and begin auditing the management processes which
generally helps us to be far more effective.
Finally, the course will spend a significant amount of time discussing the more important
aspects of Active Directory from an auditor's perspective. We will cover and give you the
opportunity to try your hand at querying useful data out of the Active Directory.
Throughout the day we will work to build a comprehensive baseline auditing script to
automatically audit all of the systems within a domain.
CPE/CMU Credits: 6


Progressive construction of a comprehensive audit program

Basic system information

Patch levels

Network based services

Local services

Installed software

Security configuration

Identifying & mitigating system specific vulnerabilities

Group policy management

Log aggregation, management and analysis

Automating the audit process

Windows security tips and tricks

Maintaining a secure enterprise

AUD507.5: Advanced Unix Auditing & Monitoring

Laptop Required
Students will gain a deeper understanding of the inner workings and fundamentals of the
Unix operating system as applied to the major Unix environments in use in business
today. Students will have the opportunity to explore, assess and audit Unix systems
hands-on. Lectures describe the different audit controls that are available on standard
Unix systems, as well as, access controls and security models.
The majority of the day will be spent working hands on with the instructor to create a
comprehensive set of auditing scripts that can be used on virtually any Unix system. This
set of scripts can be used to either check the security of a system, report on the
compliance of the system to a baseline or be used in a change control process to
validate a system before patching and subsequently re-generate the system baseline.
Neither Unix nor scripting experience is required for this day's course. The course book
and hands on exercises present an easy to follow method with the assistance of the
instructor that will allow you to cover scripting and more advanced topics like regular
CPE/CMU Credits: 6

Auditing to Create a Secure Configuration

Building Your Own Auditing Toolkit

File Integrity Assessment

Fine Points of 'find'

Regex Basics

Auditing to Maintain a Secure Configuration

Reading Logfiles

Password Assessment Tools

Risk Assessment

What Tools to Use

How to Go About It

Building a Baseline

Building an Audit Script

Auditing with Accreditation Systems

Auditing to Determine What Went Wrong

Finding Hidden Disk Space

Event Reconstruction

Identifying Back Doors

Anatomy of a Rootkit

Creating a Unix Tools CD

AUD507.6: Audit the Flag: A NetWars Experience

Laptop Required
This final day of the course presents a capstone experience with additional learning
opportunities. Leveraging the well known NetWars engine, students have the opportunity
to connect to a simulated enterprise network environment. Building on the tools and
techniques learned throughout the week, each student is challenged to answer a series
of questions about the enterprise network, working through various technologies explored
during the course.
This allows students to immediately put the knowledge gained into practice with these
guided challenges. At the conclusion of the day, students are asked to identify the most
serious findings within the enterprise environment and to suggest possible root causes
and potential mitigations.

CPE/CMU Credits: 6

Technologies included in the capstone challenges include:
Network Devices


Cisco Switches & Routers


Active Directory domain controllers

DNS servers

Mail servers

Web servers


Intranet web applications

Internet web applications


Additional Information

Laptop Required

Audit 507 requires that you bring a fairly modern laptop running 64 bit Windows 7
Business (or higher) operating system. Your computer should additionally have a
minimum of 2 gigabytes of RAM. A computer not meeting the RAM and operating system
requirements will not be able to run all of the hands-on exercises. Your computer will
need a DVD drive and a wireless adapter for you to participate in the exercises in class.
Your laptop must be capable of running the most current version of VMware Player
( It is strongly advised that you attempt to
download and install VMware Player before coming to class to verify that your laptop can
indeed run it successfully.
It is absolutely necessary that you have full administrative rights on your computer for this
class. We would strongly recommend that you work with your help desk to have a clean
laptop built for the purpose of attending this class. Full administrative rights means that
you will need the ability to install software, change system settings, manipulate the
registry, possibly disable antivirus, etc. Of course, you can meet this requirement by
bringing a laptop with VMware Player already installed and a Windows XP or higher
virtual machine installed inside of a virtual machine to which you have full and complete
If you have additional questions about the laptop specifications, please contact

Who Should Attend

Auditors seeking to identify key controls in IT systems

Audit professionals looking for technical details on auditing

Managers responsible for overseeing the work of an audit or security team

Security professionals newly tasked with Audit responsibilities

System and Network Administrators looking to better understand what an auditor

is trying to achieve, how they think and how to better prepare for an audit

System and Network Administrators seeking to create strong change control

management and detection systems for the enterprise

You Will Be Able To

Understand the different types of controls (e.g., technical vs. non-technical)

essential to performing a successful audit

Conduct a proper risk assessment of network to identify vulnerabilities and

prioritize what will be audited

Establish a well-secured baseline for computers and networks, a standard to

conduct audit against

Perform a network and perimeter audit using a seven step process

Audit firewalls to validate that rules/settings are working as designed, blocking

traffic as required

Utilize vulnerability assessment tools effectively to provide management with the

continuous remediation information necessary to make informed deci- sions about
risk and resources.

Audit web application's configuration, authentication, and session management

identify vulnerabilities attackers can exploit

Utilize scripting to build a system to baseline and automatically audit Active

Directory and all systems in a Windows domain

Author Statement
The SANS Advanced Systems Audit track stands alone in the Information Assurance arena as
the only comprehensive source for hands on audit "How To." Past students have included long
time auditors and those new to the field, both of whom have found significant benefit from the
refresher material. One individual, a vice president with the IIA (Institute of Internal Auditors) said,
"I've been auditing systems for a very long time and no one ever actually gave me a formal
process that I can apply to conducting technical audits. Thank you!" While we don't require a high
level of technical experience as a prerequisite to this course, we have worked hard to make sure
that anyone who comes to the course walks away with a wealth of material that they can go back
to their office and apply tomorrow. We realistically address the "How do I get there from here?"
problem by offering short-term goal solutions which, when combined, will allow you to achieve
your goal: identify, report on and reduce risk in your enterprise. - DAVID HOELZER

Additional Resources
Take your learning beyond the classroom. Explore our site network for additional resources
related to this course's subject matter.