SANS Network Security 2010 - Brochure
SANS Network Security 2010 - Brochure
SANS Network Security 2010 - Brochure
mastered.” Security Leadership Essentials for Managers needs. As you review this brochure, be aware that not only can you select a
information security training, certification, and research in the world. job-based, full course for complete immersion training, but you can also select
-JASON FOWLER, UBC
+S™ Training Program for the CISSP® Cert Exam a short, skill-based course of a day or two either before or after to maximize your
training investment. Course topics include Implementing and Auditing the Twenty
Auditing Networks, Perimeters & Systems Here is what a few
Five Tips to Get Approval for SANS Training ks in
Critical Security Controls – In Depth, Virtualization Security Fundamentals, and much,
of last year’s attendees
SANS WhatWor Intrusion Detection In-Depth much more! Many of the hottest new courses are selling out, so register today!
ance
nd PCI Compli had to say:
1. EXPLORE 4. ADD VALUE
Legal Issues a curity Summit is Networking is a hidden jewel at Network Security 2010! Where else will you meet
n Se
• Read this brochure and note the courses that will enhance your • Share with your boss that you can add value to your experience in Informatio njunction with Web App Penetration Testing and Ethical Hacking others in your field or in your role who deal with the same exploits and challenges
co
role at your organization. by meeting with network security experts - people who face the being held in 10 – Sept 22 - 29. you do? Several networking opportunities are available at SANS Network Security “Again, SANS has
same type of challenges that you face every single day. ri ty 20
Network Secu
• Use the Roadmap to arm yourself with all the necessary …and more than 30 other courses in network and software 2010. Along with your course, you can attend the SANS@Night presentations, managed to take
materials to make a good case for attending a SANS training • Explain how you will be able to get and share great ideas on www.s ans.org/ security, forensics, legal, management, and IT audit.
-2010
-tech-summit evening talks with keynote speakers like Lenny Zeltser and Jason Fossen, and our incredibly complicated
event. improving your IT productivity and efficiency. pci-legal-info
Vendor events. SANS Network Security 2010 Vendor Expo provides a look at solutions material and make it
• Note that the core, job-based courses can be complemented • Enhance your SANS training experience with SANS@Night talks and vendor products that can help address your organization’s key security issues. In
by short, skill-based courses of one or two days. We also offer and the Vendor Expo, which are free and only available at live easy to understand”
addition, we will be featuring Lunch & Learn sessions and Cocktail Briefs throughout
deep discounts for bundled course packages. Consider a GIAC training events.
this event so take advantage of these great networking opportunities. -MARC STOUFER, MEIJER
Certification, which will show the world that you have achieved • Take advantage of the special SANS host hotel rate so you will
proven expertise in your chosen field. be right where the action is! Enhance your learning by attending the Legal Issues & PCI Compliance in Information
2. RELATE 5. ACT Security Summit 2010 being held in conjunction with Network Security 2010. “I like the fact that
• Show how recent problems or issues will be solved with the • With the fortitude and initiative you have demonstrated thus The information technology industry changes daily, and the challenges you face this course contained
knowledge you gain from the SANS course. far, you can confidently seek approval to attend SANS training! are undoubtedly complex. If you know any key stakeholders in the security of your no fluff. All the
• Promise to share what you’ve learned with your colleagues. organization, take them to Las Vegas this fall. They’ll be glad they came! information was of
Return on Investment: SANS training events are
3. SAVE recognized as the best place in the world to get It is our goal to help you get the most out of your SANS Network Security 2010 benefit and no time
• The earlier you sign up, the more you save, so explain the information security education. With SANS, you experience. If you have suggestions on how we can better help you find the
was wasted”
benefit of signing up early. will gain significant return on investment (ROI) for information you need, then I would love to hear from you, [email protected].
your InfoSec investment. Through our intensive -AMALIA DOMINGUEZ,
• Save even more with group discounts! See inside for details. See you in Las Vegas!
immersion classes, our training is designed to help NV ENERGY
your staff master the practical steps necessary Kind regards, When you register, be sure to use
for defending systems and networks against the the promo code on the back of this
most dangerous threats – the ones being actively At brochure. Those who do will receive “No other training
Save $400 when you exploited. Caesar’s Palace a special invitation to the has provided such
register for SANS NS2010 Remember: SANS is your first and best choice for Stephen Northcutt
SANS Presidential Reception. instant value to me as a
by August 11, 2010 information and software security training. The President professional and to
www.sans.org/ SANS Promise is “You will be able to apply our The SANS Technology Institute, a postgraduate computer security college my company.
network-security-2010 information security training the day you get back Register at
to the office!” www.sans.org/network-security-2010 *Based on SC Magazine’s Best Professional Training Program Award 2010 -TERRY PACK, WELLPOINT
Las Vegas
8120 Woodmont Avenue
PRSRT STD
Suite 205
U.S. POSTAGE
Bethesda, MD 20814
PAID September 19-29, 2010
SANS
P R O M O CO D E Dear Colleague,
2010
Please join us for SANS Network Security 2010 at Caesars Palace
THE MOST TRUSTED NAME IN
in Las Vegas, September 19-29, where SANS will provide your best
INFORMATION AND SOFTWARE SECURITY
Hands-on immersion training programs training in the industry today* from the Security, Forensics, Management,
taught by the world’s highest-rated instructors! Audit, and Legal curricula.
Register using this Promo Code and “Getting hands-on At SANS Network Security 2010, you’ll get valuable immersion training from
receive a Special invitation to the
Security Essentials Bootcamp Style
experience with the latest our top SANS instructors and learn skills and tools for dealing with the cyber
SANS Hosted tools and having fun Hacker Techniques, Exploits & Incident Handling threats you face daily. SANS Network Security 2010 offers a high-energy
Presidential Reception learning gives SANS an
program with world-class instructors, a huge Vendor Solutions Expo, hands-on
Network Penetration Testing & Ethical Hacking labs, evening talks and a myriad of networking opportunities to expand your Stephen Northcutt
edge no other training peer group and exchange challenges and solutions.
organization has yet Computer Forensic Investigations & Incident Response
SANS continues to offer the newest and most relevant courses to meet your
SANS is the most trusted and by far the largest source for
Setting the Standard for Security Training
mastered.” Security Leadership Essentials for Managers needs. As you review this brochure, be aware that not only can you select a
information security training, certification, and research in the world. job-based, full course for complete immersion training, but you can also select
-JASON FOWLER, UBC
+S™ Training Program for the CISSP® Cert Exam a short, skill-based course of a day or two either before or after to maximize your
training investment. Course topics include Implementing and Auditing the Twenty
Auditing Networks, Perimeters & Systems Here is what a few
Five Tips to Get Approval for SANS Training ks in
Critical Security Controls – In Depth, Virtualization Security Fundamentals, and much,
of last year’s attendees
SANS WhatWor Intrusion Detection In-Depth much more! Many of the hottest new courses are selling out, so register today!
ance
nd PCI Compli had to say:
1. EXPLORE 4. ADD VALUE
Legal Issues a curity Summit is Networking is a hidden jewel at Network Security 2010! Where else will you meet
n Se
• Read this brochure and note the courses that will enhance your • Share with your boss that you can add value to your experience in Informatio njunction with Web App Penetration Testing and Ethical Hacking others in your field or in your role who deal with the same exploits and challenges
co
role at your organization. by meeting with network security experts - people who face the being held in 10 – Sept 22 - 29. you do? Several networking opportunities are available at SANS Network Security “Again, SANS has
same type of challenges that you face every single day. ri ty 20
Network Secu
• Use the Roadmap to arm yourself with all the necessary …and more than 30 other courses in network and software 2010. Along with your course, you can attend the SANS@Night presentations, managed to take
materials to make a good case for attending a SANS training • Explain how you will be able to get and share great ideas on www.s ans.org/ security, forensics, legal, management, and IT audit.
-2010
-tech-summit evening talks with keynote speakers like Lenny Zeltser and Jason Fossen, and our incredibly complicated
event. improving your IT productivity and efficiency. pci-legal-info
Vendor events. SANS Network Security 2010 Vendor Expo provides a look at solutions material and make it
• Note that the core, job-based courses can be complemented • Enhance your SANS training experience with SANS@Night talks and vendor products that can help address your organization’s key security issues. In
by short, skill-based courses of one or two days. We also offer and the Vendor Expo, which are free and only available at live easy to understand”
addition, we will be featuring Lunch & Learn sessions and Cocktail Briefs throughout
deep discounts for bundled course packages. Consider a GIAC training events.
this event so take advantage of these great networking opportunities. -MARC STOUFER, MEIJER
Certification, which will show the world that you have achieved • Take advantage of the special SANS host hotel rate so you will
proven expertise in your chosen field. be right where the action is! Enhance your learning by attending the Legal Issues & PCI Compliance in Information
2. RELATE 5. ACT Security Summit 2010 being held in conjunction with Network Security 2010. “I like the fact that
• Show how recent problems or issues will be solved with the • With the fortitude and initiative you have demonstrated thus The information technology industry changes daily, and the challenges you face this course contained
knowledge you gain from the SANS course. far, you can confidently seek approval to attend SANS training! are undoubtedly complex. If you know any key stakeholders in the security of your no fluff. All the
• Promise to share what you’ve learned with your colleagues. organization, take them to Las Vegas this fall. They’ll be glad they came! information was of
Return on Investment: SANS training events are
3. SAVE recognized as the best place in the world to get It is our goal to help you get the most out of your SANS Network Security 2010 benefit and no time
• The earlier you sign up, the more you save, so explain the information security education. With SANS, you experience. If you have suggestions on how we can better help you find the
was wasted”
benefit of signing up early. will gain significant return on investment (ROI) for information you need, then I would love to hear from you, [email protected].
your InfoSec investment. Through our intensive -AMALIA DOMINGUEZ,
• Save even more with group discounts! See inside for details. See you in Las Vegas!
immersion classes, our training is designed to help NV ENERGY
your staff master the practical steps necessary Kind regards, When you register, be sure to use
for defending systems and networks against the the promo code on the back of this
most dangerous threats – the ones being actively At brochure. Those who do will receive “No other training
Save $400 when you exploited. Caesar’s Palace a special invitation to the has provided such
register for SANS NS2010 Remember: SANS is your first and best choice for Stephen Northcutt
SANS Presidential Reception. instant value to me as a
by August 11, 2010 information and software security training. The President professional and to
www.sans.org/ SANS Promise is “You will be able to apply our The SANS Technology Institute, a postgraduate computer security college my company.
network-security-2010 information security training the day you get back Register at
to the office!” www.sans.org/network-security-2010 *Based on SC Magazine’s Best Professional Training Program Award 2010 -TERRY PACK, WELLPOINT
S A N S T R A I N I
S E C U R I T Y
N G A N D
C U R R I C U L U M
Y O U R C A R E E R R O A D
FORENSICS
M A P SANS Network Security 2010 Registration Fees
Register online at www.sans.org/network-security-2010
Incident Handling
CURRICULUM
SEC501 SEC504 FOR508 Beginners SEC301 NOTE: Intrusion Analysis If you don’t wish to register online,
Advanced Security Hacker Techniques, Computer Forensic If you have experience SEC501 SEC502 SEC503 please call 301-654-SANS(7267) 9:00am - 8:00pm (Mon-Fri) EST and we will fax or mail you an order form.
Essentials – Exploits, and Investigations and SEC301 FOR408
in the field, please Advanced Security Perimeter Intrusion Computer
Enterprise Defender Incident Handling Incident Response Intro to Information
GCED PG 46 GCIH PG 52 GCFA PG 28 Security consider our more Essentials – Protection Detection Forensic Essentials Paid by Paid by Paid after Add Add
advanced course – Enterprise Defender In-Depth In-Depth PG 26
Job-Based Long Courses 8/11/10 8/25/10 8/25/10 GIAC Cert OnDemand
GISF PG 21
GCED PG 46 GCFW PG 48 GCIA PG 50 AUD507 Auditing Networks, Perimeters, and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
Additional Incident Handling Courses SEC401. DEV522 Defending Web Applications Security Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845
SEC517: Cutting-Edge Hacking Techniques SEC401 Additional Intrusion Analysis Courses FOR408 Computer Forensic Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,915 $4,065 $4,315 $399
SANS Security FOR508 Computer Forensic Investigations and Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,645 $3,795 $4,045 $499 $399
SEC550: Information Reconnaissance: Competitive Intelligence and Online Privacy PG 18
Essentials SEC577: Virtualization Security Fundamentals PG 19 FOR508
Computer Forensic FOR558 Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845
Bootcamp Style Investigations and FOR563 Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,625 $3,775 $4.025
GSEC PG 44 Incident Response
Penetration Testing System Administration GCFA PG 28
FOR610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . $2,745 $2,895 $3,145 $499 $399
LEG523 Legal Issues in Information Technology and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425 $499 $399
SEC540 SEC542 SEC560 MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
VoIP Web App Pen Network Pen SEC501 SEC505 SEC506
Advanced Security Securing Securing MGT512 SANS Security Leadership Essentials For Managers with Knowledge Compression™ . . . . . . . . . . $3,895 $4,045 $4,295 $499 $399
Security Testing and Ethical Testing and Ethical
Hacking Hacking Essentials – Windows Linux/Unix FOR558 FOR563 MGT525 Project Management & Effective Communications for Security Professionals & Managers . . . . . . . $3,445 $3,595 $3,845 $499
Enterprise Defender
GWAPT PG 60 GPEN PG 62 Network and Application Network Mobile Device SEC301 Intro to Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425 $499 $399
GCED PG 46 GCWN PG 54 GCUX PG 56 Forensics Forensics SEC401 SANS Security Essentials Bootcamp Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,645 $3,795 $4,045 $499 $399
Security PG 30 PG 32 SEC501 Advanced Security Essentials – Enterprise Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
SEC501 SEC509 SEC502 Perimeter Protection In-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
SEC617 SEC709 Advanced Security Securing SEC503 Intrusion Detection In-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
Wireless Ethical Developing Exploits for Essentials – Oracle
Hacking, Pen Testing, Penetration Testers and FOR610 SEC504 Hacker Techniques, Exploits, and Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,545 $3,695 $3,945 $499 $399
Enterprise Defender SEC505 Securing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
and Defenses Security Researchers PG 58 REM: Malware
GCED PG 46 Analysis Tools & SEC506 Securing Linux/Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,495 $3,645 $3,895 $499 $399
GAWN PG 64 PG 66
Techniques SEC509 Securing Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,595 $3,745 $3,995 $399
Additional Network and Application Security Courses
Additional Penetration Testing Courses GREM PG 34 SEC542 Web Application Penetration Testing and Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,445 $3,595 $3,845 $499 $399
SEC440: 20 Critical Security Controls: Planning, Additional System Administration Courses SEC560 Network Penetration Testing and Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,895 $4,045 $4,295 $499 $399
DEV538: Web App Pen Testing Immersion Implementing, and Auditing
SEC434: Log Management In-Depth SEC566 Implementing & Auditing the Twenty Critical Security Controls - In-Depth . . . . . . . . . . . . . . . . . . . $3,025 $3,175 $3,425
SEC561: Network Penetration Testing: Maximizing the Effectiveness of Reports, SEC556: Comprehensive Packet Analysis PG 18 SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,595 $3,745 $3,995 $499 $399
Exploits, and Command Shells SEC531: Windows Command-Line Kung Fu Additional Forensics Courses
SEC565: Data Leakage Prevention - In Depth PG 17 SEC709 Developing Exploits for Penetration Testers and Security Researchers . . . . . . . . . . . . . . . . . . . . . . . . $3,745 $3,895 $4,145
SEC567: Power Packet Crafting with Scapy PG 18 SEC566: Implementing & Auditing the Twenty Critical SEC546: IPv6 Essentials PG 18 FOR526: Advanced Filesystem Recovery and HOSTED Drive and Data Recovery Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,625 $3,775 $4,025
SEC580: Metasploit Kung Fu for Enterprise Pen Testing PG 19 Security Controls - In-Depth PG 20 SEC564: Hacker Detection for System Administrators PG 19 Memory Forensics PG 17 HOSTED (ISC)2® Certified Secure Software Lifecycle Professional (CSSLP) CBK® Education Program . . . . . $2,745 $2,895 $3,145
If taking
a 5-6 day
Skill-Based Short Courses
A P P L I C AT I O N S E C U R I T Y AUDIT LEGAL MANAGEMENT DEV541 Secure Coding in Java/JEE: Developing Defensible Applications . . . . . . . . . . . . . . . . . . . .
course
N/A $2,645 $2,795 $3,045 $499 $399
CURRICULUM CURRICULUM CURRICULUM CURRICULUM FOR526 Advanced Filesystem Recovery and Memory Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
MGT305 Technical Communication and Presentation Skills for Security Professionals . . . . . . . . $855 $1,275 $1,275 $1,275
MGT404 Fundamentals of Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $855 $1,275 $1,275 $1,275 $99
Design & Test Secure Coding SEC301 SEC401 SEC301 SEC301 SEC301 SEC401
MGT421 SANS Leadership and Management Competencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $675 $1,095 $1,095 $1,095 $99
Intro to SANS Security Intro to Information Intro to Intro to SANS Security
DEV522 DEV530 DEV543 Information Essentials Security Information Information Essentials MGT570 Social Engineering Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
Defending Web Essential Secure Secure Coding Security Bootcamp Style GISF PG 21 Security Security Bootcamp Style SEC546 IPv6 Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995
Applications Coding in Java/JEE in C & C++ GISF PG 21 GSEC PG 44 GISF PG 21 GISF PG 21 GSEC PG 44 SEC550 IPv6 Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
Security Essentials SEC556 Comprehensive Packet Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995 $99
PG 22 SEC564 Hacker Detection for System Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
DEV541 DEV544 SEC401
SANS Security SEC565 Data Leakage Prevention – In Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A $2,645 $2,795 $3,045
Secure Coding Secure Coding Essentials
SEC542 in Java/JEE in .NET AUD507 MGT512 MGT414 MGT525 SEC567 Power Packet Crafting with Scapy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $575 $995 $995 $995
Auditing Networks, Bootcamp Style
Web App GSSP-JAVA PG 15 GSSP-.NET SANS Security SANS® +S™ Project Management SEC577 Virtualization Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,250 $1,800 $1,800 $1,800
Pen Testing and Perimeters, GSEC PG 44
Leadership Essentials Training Program and Effective SEC580 Metasploit Kung Fu for Enterprise Pen Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,150 $1,700 $1,700 $1,700
Ethical Hacking and Systems For Managers for the Communications for
GWAPT PG 60 DEV545 GSNA PG 24 with Knowledge CISSP® Certification Security Professionals Individual Courses Available Individual Course Day Rates If Not Taking a Full Course
Secure Coding LEG523 Compression™ Exam and Managers MON 9/20 TUE 9/21 WED 9/22 THU 9/23 FRI 9/24 SAT 9/25
Legal Issues in Paid by Paid by Paid after
in PHP GSLC PG 40 GISP PG 38 GCPM PG 42 AUD507 507.1 507.2 & 507.3 507.4 507.5 507.6 8/11/10 8/25/10 8/25/10
Information
GSSP-PHP Additional Audit Courses Technology and LEG523 523.1 523.2 523.3 523.4 523.5 One Full Day . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,325 $1,325 $1,325
Information Security SEC301 301.1 301.2 301.3 301.4 301.5 Two Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $2,050 $2,050 $2,050
AUD305: Technical Communication & Presentation Skills
GLEG PG 13 SEC401 401.1 401.2 401.3 401.4 401.5 401.6 Three Full Days. . . . . . . . . . . . . . . . . . . . . . . . . $3,000 $3,000 $3,000
AUD423: Training for the ISACA® CISA® Cert Exam Additional Management Courses
501.1 501.2 501.3 501.4 501.5 501.6 Four Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $3,250 $3,250 $3,250
Code Review MGT305: Technical Communication and Presentation Skills PG 15
SEC501
AUD429: IT Security Audit Essentials Bootcamp SEC503 503.1 Five Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . $3,800 $3,800 $3,800
DEV534 MGT404: Fundamentals of Information Security Policy PG 16 SEC504 504.1 Six Full Days . . . . . . . . . . . . . . . . . . . . . . . . . . . $4,350 $4,350 $4,350
AUD521: Meeting the Minimum: PCI/DSS 1.2:
Secure Code Review Becoming and Staying Compliant PG 12 SEC505 505.1 505.2 505.3 505.4 505.5 505.6 Seven Full Days . . . . . . . . . . . . . . . . . . . . . . . . $4,950 $4,950 $4,950
for Java Web Apps GIAC certification MGT421: SANS Leadership and Management Competencies PG 16 Eight Full Days . . . . . . . . . . . . . . . . . . . . . . . . . $5,550 $5,550 $5,550
SEC506 506.1 506.2 506.3 506.4 506.5 506.6
Additional Secure Coding Courses SEC440: 20 Critical Security Controls: available for courses MGT432: Information Security for Business Executives
Planning, Implementing, and Auditing indicated with
DEV304: Software Security Awareness MGT438: How to Establish a Security Awareness Program R E M I N D E R :
SEC566: Implementing & Auditing the Twenty Critical GIAC acronyms
DEV536: Secure Coding for PCI Compliance Security Controls - In-Depth PG 20 MGT570: Social Engineering Defense PG 16 When you register, please use the promo code located on the back cover.
Courses-at-a-Glance
w
SUN MON TUE WED THU FRI SAT SUN MON TUE WED
9/19 9/20 9/21 9/22 9/23 9/24 9/25 9/26 9/27 9/28 9/29
AUD507 Auditing Networks, Perimeters, and Systems PAGE 24
DEV522 Defending Web Applications Security Essentials PAGE 22
DEV541 Secure Coding in Java/JEE: Developing Defensible Applications PAGE 15
w
FOR408 Computer Forensic Essentials PAGE 26
FOR508 Computer Forensic Investigations and Incident Response PAGE 28
FOR526 Advanced Filesystem Recovery and Memory Forensics P 17
FOR558 Network Forensics PAGE 30
FOR563 Mobile Device Forensics PAGE 32
w
FOR610 REM: Malware Analysis Tools and Techniques PAGE 34
HOSTED Drive and Data Recovery Forensics PAGE 36
MGT305 Technical Communication and Presentation Skills for P 15
Security Professionals
MGT404 Fundamentals of Information Security Policy P 16
•
MGT414 SANS® +S™ Training Program for the CISSP® Certification Exam PAGE 38
MGT421 SANS Leadership and Management Competencies P 16
MGT512 SANS Security Leadership Essentials for Managers with PAGE 40
Knowledge Compression™
MGT525 Project Management and Effective Communications for PAGE 42
Security Professionals and Managers
MGT570 Social Engineering Defense
SEC301 Intro to Information Security
SEC401 SANS Security Essentials Bootcamp Style
PAGE 21
PAGE 44
P 16
s
SEC501 Advanced Security Essentials – Enterprise Defender PAGE 46
a
SEC502 Perimeter Protection In-Depth PAGE 48
SEC503 Intrusion Detection In-Depth PAGE 50
SEC504 Hacker Techniques, Exploits, and Incident Handling PAGE 52
SEC505 Securing Windows PAGE 54
SEC506 Securing Linux/Unix PAGE 56
n
SEC509 Securing Oracle PAGE 58
SEC542 Web App Penetration Testing and Ethical Hacking PAGE 60
SEC546 IPv6 Essentials P 18
SEC550 Information Reconnaissance: Competitive Intelligence P 18
and Online Privacy
P 18
s
SEC556 Comprehensive Packet Analysis
SEC560 Network Penetration Testing and Ethical Hacking PAGE 62
SEC564 Hacker Detection for System Administrators P 19
SEC565 Data Leakage Prevention - In Depth PAGE 17
SEC566 Implementing & Auditing the 20 Critical Security Controls - In-Depth PAGE 20
•
SEC567 Power Packet Crafting with Scapy P 18
SEC577 Virtualization Security Fundamentals P 19
SEC580 Metasploit Kung Fu for Enterprise Pen Testing P 19
SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses PAGE 64
SEC709 Developing Exploits for Penetration Testers & Security Researchers PAGE 66
o
HOSTED (ISC)2® Certified Secure Software Lifecycle Professional
PAGE 68
(CSSLPCM) CBK® Education Program
SANS WhatWorks in Legal Issues & PCI in Information Security Summit 2010 P 12
LEG523 Legal Issues in Information Technology and Information Security PAGE 13
AUD521 Meeting the Minimum: PCI/DSS 1.2: Becoming & Staying Compliant P 12
r
Please check the Web site for an up-to-date course list at www.sans.org/network-security-2010
Training and Your Career Roadmap . . . . . . . . . . . . . . . . . 2-5 SANS Cyber Guardian Program . . . . . . . . . . . . . . . . . . . . . .14
Earn Your GIAC Certification. . . . . . . . . . . . . . . . . . . . . . . . . . 6 Future SANS Training Events . . . . . . . . . . . . . . . . . . . . . . . .69
DoD Directive 8570 Information . . . . . . . . . . . . . . . . . . . . . 7 Hotel and Travel Information . . . . . . . . . . . . . . . . . . . . . . . .70
g
Special / Vendor Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 Reasons to Come to Baltimore . . . . . . . . . . . . . . . . . . . . . .71
SANS Technology Institute . . . . . . . . . . . . . . . . . . . . . . .10-11 Registration Information . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Legal Issues & PCI Compliance in Information Security Summit 12-13 Registration Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
S A N S T R A I N I N G A N D Y O U R C A R E E R R O A D M A P
Just Starting a Career in Security and Need a Good Foundation? Need to Implement an Application Security Program?
SEC401: SANS Security SEC501: Advanced Security NEW! DEV522: Defending Web Application DEV541: Secure Coding in Java/JEE: Developing
Essentials Bootcamp Style Essentials – Enterprise Defender Security Essentials Page 22 Defensible Applications (GSSP-JAVA) Page 15
(GSEC) Page 44 (GCED) Page 46 Defending Web applications is critical! Traditional network defenses, During this four-day course is a comprehensive course covering
Maximize your training time and turbo- Cyber security continues to be a critical such as firewalls, fail to secure Web applications which have to be a huge set of skills and knowledge; it’s not a high-level theory
charge your career in security by learning area for organizations and will continue to available to large user communities. The amount and importance of course. It’s about real programming. In this course you will
the full SANS Security Essentials curriculum increase in importance as attacks become data entrusted to Web applications is growing, and defenders need examine actual code, work with real tools, build applications,
needed to qualify for the GSEC certification. stealthier, have a greater financial impact to learn how to secure it. DEV522 covers the and gain confidence in the re-
SEC301: Intro to Information
In this course you will learn the language on an organization, and cause reputational OWASP Top 10 and will help you to better sources you need for the journey
Security (GISF) Page 21
and underlying theory of computer security. damage. Security 501 is a follow-on to understand Web application vulnerabilities, to improving security of Java
SANS is the MIT of information security, At the same time you will learn the essen- Security 401 (with no overlap) and continues thus enabling you to properly defend your applications.
and this introductory certification course is tial, up-to-the-minute knowledge and skills to focus on more technical areas that are organization’s Web assets. “This class has made me
the fastest possible way to get up to speed. required for effective performance if you are needed to protect an organization. “While I understand the basic think about data validation
Understand the threats and risks to infor- given the responsibility for securing systems thoughts behind Web application in ways that I had not
“The course content is extensive
mation resources, and identify generally and/or organizations. and covers all the areas that are security, this class gave me a greater thought of before.”
accepted best practices. relevant for a security professional breadth and depth of knowledge.” -RICK STONE, UMPQUA BANK
“Security 401 is a wonderfully compre-
-MISS KOOS, MICHIGAN STATE UNIVERSITY
“This fundamental course sets hensive course for all IT professionals. in today’s IT world. The instructor www.sans-ssi.org
the groundwork for a There is something for everyone, and was great – very experienced
successful future in IT security.” it is a great springboard for all of the and knowledgeable.”
-BRIAN FRICKE, US NAVY/MSC other courses at SANS.” -ANDREA TODD -KAYODE OLOKE, TORYS LLP
Want to Specialize in Pen Testing?
SEC542: Web App Penetration Testing and SEC617: Wireless Ethical Hacking, Penetration
Want to Specialize in Want to Advance Your Ethical Hacking (GWAPT) Page 60 Testing, and Defenses (GAWN) Page 64
System Administration? Technical Skills? Web applications are a major point of vulnerability in organiza- Few fields are as complex as wireless security. This course breaks down
tions today. Web app holes have resulted in the theft of millions the issues and relevant standards that affect wireless network admin-
SEC505: Securing Windows SEC503: Intrusion Detection of credit cards, major financial and reputational damage for istrators, auditors, and information security professionals. With hands-
(GCWN) Page 54 In-Depth (GCIA) Page 50 hundreds of enterprises, and even the compromise of thousands on labs and instruction from industry wireless security experts, you
This program brings the confusing The emphasis of this course is on increasing of browsing machines that visited Web sites altered by attack- will gain an intimate understanding of the risks threatening wireless
complexity of Windows security into students’ understanding of the workings of TCP/IP, ers. In this class you’ll learn the art of exploiting Web applica- networks. After identifying risks and attacks, we’ll present field-proven
clear focus by starting with foundational methods of network traffic analysis, and one spe- tions so you can find flaws in your enterprise’s Web apps before techniques for mitigating these risks, leveraging powerful open-source
security services and advancing in a logi- cific network intrusion detection system – Snort. the bad guys do. and commercial tools for Linux and Windows systems.
cal progression to particular products or This course is not a comparison or demonstration “Never will you learn so much and have such a great “This course is absolutely critical for any IT professional
features which rely on these foundations, of multiple NIDS. Instead, the knowledge/infor- time doing it. Kevin Johnson is an incredible teacher.” responsible for overseeing an existing wireless network.”
such as IIS and IPSec. Securing Windows mation provided here allows students to better -TOM COOK, US ARMY -JOSHUA BROWN, FLEISHMAN HILLARD
is fully updated for Windows Server 2008- understand the qualities that go into a sound NIDS and the whys behind them, and thus
R2 and Windows 7. Most of the content be better equipped to make a wise selection for their site’s particular needs. SEC560: Network Penetration Testing and SEC709: Developing Exploits for Penetration Testers
applies to Windows Server 2003 and XP “There’s nothing that compares to the detail and Ethical Hacking (GPEN) Page 62 and Security Researchers Page 66
too, but the focus is on 2008/Vista/7. Learn real-world content in this course.” Successful penetration testers don’t just throw a bunch of hacks In this course we bridge the gaps and take a step-by-step look at Linux
to implement the 20 Critical Controls -JOHN DASKAL, LOCKHEED MARTIN against an organization and regurgitate the output of their and Windows operating systems and how exploitation truly works under
relevant to Windows systems. tools. Instead, they need to understand how these tools work in the hood. This five-day course rapidly progresses through exploitation
“The course introduced a wide range SEC504: Hacker Techniques, Exploits, and Incident Handling depth and conduct their test in a careful, professional manner. techniques used to attack stacks, heaps, and other memory segments
of technologies and issues I was (GCIH) Page 52 This course explains the inner workings of numerous tools and on Linux and Windows. This is a fast-paced course that provides you with
completely unaware of – Learn to detect malicious code and respond on the fly. You’ll learn how your networks ap- their use in effective network penetration testing and ethical the skills to hit the ground running with vulnerability research.
great exposure to new ideas. pear to hackers, how they gain access with special emphasis on the newer attack vectors, hacking projects. “As a software developer, it opened my mind
Jason’s depth of knowledge and
and what they do when they get in – especially in manipulating the system to hide their “This course continually provides clear exercises that to how vulnerable some of my code could be,
examples are of great value.”
work. Master the proven six-step process of incident handling so you are prepared to be concisely demonstrate each concept without extra fluff.” and how to protect it in the future”
-DAVID THORNBURG, SRC
the technical leader of the incident handling team. -JASON MANSFIELD, ANONYMIZER, INC. -JOHN CUTTER, SPAWAR
“The information presented is scary good. For detailed descriptions of all SANS courses, visit: www.sans.org
Really makes you examine your current knowledge from new angles.”
For GIAC Certification information, visit: www.giac.org
2 SANS Network Security 2010
September 19 - 29, 2010
-KURT BENNETT, GENERAL DYNAMICS
For SANS Technology Institute advanced degree information, visit: www.sans.edu
SANS Network Security 2010
September 19 - 29, 2010 3
S A N S T R A I N I N G A N D Y O U R C A R E E R R O A D M A P
Want to Specialize in Forensics? Want to Learn Security from a Management Perspective?
FOR408: Computer Forensic Essentials Page 26 MGT414: SANS® +S™ Training MGT525: Project Management
This course focuses on the essentials that a forensic investigator Program for the CISSP® and Effective Communications
must know to investigate core computer crime incidents successfully. Certification Exam (GISP) for Security Professionals and
You will learn how computer forensic analysts focus on collecting Page 38 Managers (GCPM) Page 42
and analyzing data from computer systems to track user-based http://computer- The SANS CISSP® review course will cover This curriculum is intended to give you the
activity that could be used internally or in civil/criminal litigation. the security concepts needed in order to knowledge and tools you need to become a
“This is an excellent hands-on course and with an awesome
forensics.sans.org pass the CISSP® exam. This accelerated MGT512: SANS Security top-notch project manager with a focus on
review course assumes the student has Leadership Essentials for effective communication, human resourc-
instructor who pays attention to the audience’s skills,
a basic understanding of networks and Managers with Knowledge es, and quality management. The course
teaching accordingly. I love this class!”
operating systems and focuses solely Compression™ (GSLC) Page 40 covers all aspects of project management
-PHYLLIS HELLMAN, BOEING COMPANY
on the ten domains of knowledge as This course is designed to empower senior and from planning and initiating projects to
determined by (ISC)2. Each domain of advancing managers who want to get up to managing cost, time, and quality while
knowledge is dissected into its criti- speed fast on information security issues and your project is active and then complet-
FOR508: Computer Forensic Investigations and FOR563: Mobile Device Forensics Page 32 cal components. Every component is terminology. Lecture sections are intense. The ing, closing, and documenting after the
Incident Response (GCFA) Page 28 This hands-on course provides the core knowledge and skills that a discussed showing its relationship to diligent manager will learn vital, up-to-date project finishes. A copy of the Project
Network equipment, such as Web proxies, firewalls, IDS, routers, digital forensic investigator needs to process cell phones, PDAs, and each other and other areas of network knowledge and skills required to supervise Management Institute’s Guide to the Project
and even switches, contains evidence that can make or break a other mobile devices. Using state-of-the art tools, you will learn security. This course also prepares you the security component of any information Management Body of Knowledge (PMBOKR
how to forensically preserve, acquire, and examine data stored on for the GISP certification. (Note: The technology project. Only SANS’ top instructors Guide®) - Fourth Edition is provided to all
case. You will learn how to recover evidence from network-based
mobile devices and utilize the results for internal investigations or CISSP® exam is NOT provided as part of are invited to teach this course. participants.
devices and use it to build your case. Each student will be given a
in civil/criminal litigation. the training.) “This course opens the door to a much “This course is spot on for security
virtual network to analyze and will have the opportunity to conduct
“The manuals are some of the best I’ve seen. The instructor “Very valuable, as it not only deeper area of information needed to professionals. It covered project
forensic analysis on a variety of devices.
teaches the material, it also teaches effectively manage the security of a management skills from a security
is extremely knowledgeable and experienced with
“Most in-depth course on digital forensics analysis how to take the exam effectively.” network/application.” point of view.”
mobile forensics and provides great insight to anyone
available today. Goes beyond the basics and -STEVE BRANT, NETT APP -MICHAEL GOLDAMMER, L-3 COM. GSI -ANTWAN BANKS, US ARMY
in the forensic community. The class conversations and
gets down to the nitty-gritty.”
interactions make even the first day of this course more
-ELISE FEETHAM
valuable than other courses I have attended. Great
course!” -HEATHER MAHALIK, BASIS TECHNOLOGY
Want to Advance Your Want to Learn Security from a
FOR558: Network Forensics Page 30 Auditing Security Skills? Legal Perspective?
Network equipment such as Web proxies, firewalls, IDS, routers FOR610: Reverse-Engineering Malware: Malware
AUD507: Auditing Networks, Perimeters, and LEG523: Legal Issues in Information Technology
and even switches contain evidence that can make or break a Analysis Tools and Techniques (GREM) Page 34
Systems (GSNA) Page 24 and Information Security (GLEG) Page 13
case. You will learn how to recover evidence from network-based Expand your capacity to fight malicious code by learning how to
devices and use it to build your case. Each student will be given a This course is the end product of over one hundred skilled system, Day by day, as legislation and lawsuits become more common,
analyze bots, worms, and trojans. This recently expanded, four-day
virtual network to analyze and will have the opportunity to conduct network, and security administrators working with one common the law is assuming greater influence on IT security. This course
course discusses practical approaches to examining malware using
goal – to improve the state of information security. It is based on will help the IT and legal departments better understand each
forensic analysis on a variety of devices. a variety of system monitoring utilities, a disassembler, a debugger,
known and validated threats and vulnerabilities explained from other and find workable solutions to problems. Learn how to
“This course is amazing. Not only are we covering an and other tools useful for reverse-engineering malicious software.
real-world situations that can be used to raise awareness of why word a security policy so as to minimize liability if your enterprise
extensive range of topics, we are doing labwork You don’t have to be a full-time malware searcher to benefit from
auditing is important. From these threats and vulnerabilities we is sued for losing customer data.
for each topic so that we can be comfortable this course. As organizations increasingly rely on their staff to act as
build countermeasures and defenses, including instrumentation, “This course provided tools to help me protect my
with the new material. Love the class! Thank you.” first responders during a security incident, malware analysis skills
metrics, and auditing. company’s assets on the Internet in a noble and justifi-
-DEBORAH GOSHORN, NAVAL POSTGRADUATE SCHOOL are becoming increasingly important.
“The instructor keeps the class interesting. able way I had never thought of before – great insights
“This course was valuable because it gives so many options Lots of material, all of it is useful. No Fluff!” and great discussions.” -PAUL JACOBSEN, FLUOR HANFORD
and software tools to help you analyze malware. The -SANDY WARGO, US ARMY
instructor also made the information easy to comprehend
even with my entry-level knowledge.”
-KEITH HARGROVE, US ARMY
Top Four Reasons to ‘Get GIAC Certified’ Five Ways to Earn a GSE
The GIAC Security Expert (GSE) is the most
1. Promotes hands-on technical skills and improves prestigious certification in information security.
knowledge retention There are two parts to the GSE exam, a multiple-
“The GIAC certification process forced me to dig deeper into the choice test and a hands-on lab. The multiple-
information that I was taught in class. As a result of this, I integrated this choice test must be completed before the lab. The
training into my practical skill set and improved my hands-on skills.” GSE hands-on lab will be offered at SANS Network
-DEAN FARRINGTON, INFORMATION SECURITY ENGINEER, WELLS FARGO Security 2010. Register by August 1, 2010 to
reserve your seat! (Click on the register button
2. Provides proof that you possess hands-on technical skills on www.giac.org) To apply for the GSE, you will
“GIAC proves that I have a very solid technical background to support any need to meet one of the following prerequisites:
challenge I deal with every day. There are so many new tools coming up 1) GSEC, GCIH, GCIA – two of which must be Gold
daily, but the underlying background essentially remains the same.”
2) GSEC, GCIH, GCIA – one of which must be Gold
-WAYNE HO, BUSINESS INFORMATION SECURITY OFFICER, GLOBAL BANK
and one additional elective certification
3. Positions you to be promoted and earn respect among your peers 3) GSEC, GCIH, GCIA – no Gold and two additional
“I think the GIAC certification has definitely helped provide credibility for me elective certifications
in the work place. This, in turn, has helped me be more effective at my job.” 4) GCWN, GCUX, GCIH, GCIA – one of which must
-MATT AUSTIN, SENIOR SECURITY CONSULTANT, SYMANTEC be Gold
5) GCWN, GCUX, GCIH, GCIA – no Gold and one
4. Proves to hiring managers that you are technically qualified additional elective certification
for the job * Elective certifications include: GCFA, GCFW, GCUX, GCWN,
“Hiring managers are always looking for ways to help sort through GCED, GPEN, GSNA, GWAPT, GAWN, and GREM
candidates. GIAC certifications are a major discriminator. They ensure Learn more about the GSE at
that the candidate has hands-on technical skills.” www.giac.org/certifications/gse.php
-CHRIS SCHOCK, NETWORK ENGINEER, STATE OF COLORADO or contact us at [email protected]
}
CISSP* CISSP* CISSP-ISSEP SEC401
CISSP-ISSAP SEC503 . . . . . . . . . GSE
SEC504
Computer Network Defense (CND) Certifications
CND INCIDENT
CND ANALYST RESPONDER CND AUDITOR
GCIA GCIH GSNA
CEH CSIH CEH CISA CEH
*Or Associate
“It’s not about the cert, it’s about the knowledge gained
in pursuit of the cert.” -DAVE HULL, TRUSTED SIGNAL, LLC
Get more information at [email protected] and www.sans.org/8570
SANS Network Security 2010
September 19 - 29, 2010 7
Enhance your SANS training! As an added benefit to your training dollar, attend these free talks.
SANS@Night
Check www.sans.org/network-security-2010/night.php for dates and times.
Network Vulnerability Exploitation, Step By Step What’s New for Security in Windows 7
From Discovery through to Metasploit Module and Server 2008-R2?
Speaker: David Hoelzer Speaker: Jason Fossen
This short one hour evening presentation explains the The Vista nightmare is finally over, but what’s new for
causes of Heap and Stack Overflows and then presents security in Windows 7 and Server 2008-R2 then? The aim
a step-by-step tutorial demonstrating how to write of this talk is to give you a bird’s eye view of the Win7
basic shellcode, how to find an overflow condition, how security enhancements to help you decide whether to
to determine memory offsets and how to hand-craft upgrade or to grit your teeth and stick with XP for another
an exploit. Attendees need not have deep knowledge ten years. Topics include BitLocker To Go for flash drives,
of programming or security flaws. Those who have AppLocker program whitelisting, IPSec DirectAccess, Vendor Expo Vendor Welcome Reception
some experience should be able to duplicate the BranchCache, PowerShell 2.0, booting from VHD files, IE8 Tuesday, September 21, 2010 Tuesday, September 21, 2010 • 5:00pm - 7:00pm
demonstrations, giving you the ability to show others how SmartScreen Filter, hyper-detailed logging, and the hated
12:00pm - 1:30pm and 5:00pm - 7:00pm This informal reception allows you to visit exhibits and
these types of flaws are exploited. User Account Control prompt. Bring your questions and
get it straight without the anti-Microsoft FUD or the pro- All attendees are invited to meet with established and participate in some exciting activities. This is a great
The Return of Command Line Kung Fu Microsoft propaganda! emerging solution providers as they reveal the latest tools time to mingle with your peers and experience firsthand
Speaker: Hal Pomeranz and technologies critical to information security. The SANS the latest in information security tools and solutions
Hal Pomeranz serves up another tasty serving of his Linux
Knock, Knock! How Attackers Use Social Engineering Network Security 2010 Vendor Expo showcases product with interactive demonstrations. Enjoy appetizers
command line madness. Come learn command line skills to Bypass Your Defenses offerings from key technology providers in the commercial and beverages and compare experiences with other
(and dirty tricks) to help automate common security and Speaker: Lenny Zeltser tools and services market. Vendors arrive prepared to attendees regarding the solutions they are using to
audit-related tasks in Linux and Unix. Bring your thorniest interact with a technically savvy audience. You’ll find address security threats in their organization. Attendees
Why bother breaking down the door if you can simply
problems and try to “stump the expert”. demonstrations and product showcases that feature all the can visit sponsors to receive raffle tickets and enter to
ask the person inside to let you in? Social engineering
works, both during penetration testing and as part of best that the security industry has to offer! win exciting prizes. Prize drawings occur throughout the
Cyberwar or Business as Usual? – real-world attacks. This talk explores how attackers are expo. The more vendors you visit the more chances you
The State of US Federal CyberSecurity Initiatives using social engineering to compromise defenses. It SANS Technology Pavilion have to win!
Speaker: James Tarala presents specific and concrete examples of how social During the expo session, attendees are encouraged to visit
engineering techniques succeeded at bypassing corporate the SANS Technology Pavilion, a vendor-sponsored learning Vendor-Sponsored Breakfasts,
Are we near the point of cyber-armageddon or are we security defenses. Attend this engaging talk to improve Lunch & Learns, and Cocktail Briefs
forum dedicated to specific information security solutions
simply engaged in a new reality of information security the relevance of your security awareness training and to
priorities? Are the attacks being discovered daily against that are helping organizations successfully address their Throughout SAN Network Security 2010 vendors will
adjust your defenses by revisiting your perspective of the unique security challenges. See thought leaders and product
private sector and public federal systems somehow provide sponsored breakfast sessions and lunches where
threat landscape.
unique and new, or are they simply the new reality specialists give brief demonstrations on their solution. See attendees can interact with peers and receive education
of cyberspace? Organizations are regularly forced to something that peaks your interest? Visit the sponsor’s booth on vendor solutions. Take a break and get up to date on
make difficult decisions about how best to protect their
Opportunity for the Best Security Professionals: for a guided walk-through of these industry leading products. security technologies! Check the bulletin boards near the
information systems. How do organizations know when Deflect Legal Liability Caused by SANS Network Security 2010 registration desk for session
security mechanisms are enough to keep their data Growing Security Threats Vendor Sponsored Lunch Sessions details and availability. Space is limited; sign up at the
safe? In an effort to answer this question and respond Speaker: Ben Wright Tuesday, September 21, 2010 • 12:00pm - 1:30pm registration desk on-site.
to mounting cyber incidents worldwide, the US federal
government has been engaging in numerous efforts to As IT security threats evolve, multiply and come to have Sign-up at SANS Registration to receive a ticket for a free The evening cocktail brief events bring good fun and
secure cyberspace. But what are they and will they be greater impact on society, the potential legal liability lunch brought to you by sponsoring vendors. Join these great conversation from hosting vendors. Join the
enough? In this presentation, James Tarala will describe connected with a security breach is growing. The need sponsoring vendors and others on the expo floor for an party, have a drink, and take a look at solutions that
current efforts and the tools being offered to help citizens for change is urgent. Mr. Wright shares latest ideas on introduction to leading solutions and services that showcase can help address your organization’s key security
and protect cyberspace. how greater professionalism in among IT security experts the leading options in information security. Take time to issues. The list of Cocktail Briefs will be posted on-site
can help their employers avoid costly lawsuits and browse the show floor and get introduced to providers and
government investigations. at the registration desk.
their solutions that align with the security challenges being
Second
SEC504
Quarter
Hacker Techniques, Exploits & Incident Handling
Second
SEC504
& GIAC GCIH Gold Hacker Techniques, Exploits & Incident Handling
Quarter
& GIAC GCIH Gold
MGT525**
Third Project Mgt and Effective Communications for
Quarter Security Professionals and Managers MGT525**
Third Project Mgt and Effective Communications for
& GIAC GCPM Gold Security Professionals and Managers
Quarter
& GIAC GCPM Gold
Fourth
SEC503
Intrusion Detection In-Depth
Quarter
& GIAC GCIA Gold Fourth
AUD507
Auditing Networks, Perimeters, & Systems
Quarter
& GIAC GSNA Gold
MGT404*
Fundamentals of Information Security Policy
MGT404*
Fifth MGT421* Fundamentals of Information Security Policy
Quarter SANS Leadership and Management Competencies
Fifth MGT421*
MGT438* Quarter SANS Leadership and Management Competencies
How to Establish a Security Awareness Program
MGT438*
Sixth How to Establish a Security Awareness Program
Quarter Elective Course
MGT411
Seventh
Quarter
Elective Course Sixth SANS 27000 Implementation & Management
Quarter
& GIAC G7799 Gold
Software Security Training
Eighth
Quarter Choice of courses: LEG523
see www.sans.edu/programs/msise Seventh Legal Issues in Information Technology
Quarter and Information Security
& GIAC GLEG Gold
ELECTIVES
Any SEC/FOR 500/600-Level Courses Software Security Training
(FOR508 recommended), Eighth
Quarter Choice of courses:
AUD 507; see www.sans.edu/programs/msism
& GIAC Certs
For a detailed description of this curriculum, For a detailed description of this curriculum,
please visit www.sans.edu/programs/msise please visit www.sans.edu/programs/msism
*Plus a written assignment **MGT525 is offered 2-3 times a year SANS Network Security 2010
September 19 - 29, 2010 11
Enhance your Training! The SANS WhatWorks in Legal Issues and PCI Compliance in Information Security Summit is being held in conjunction with SANS NS 2010 in Las Vegas.
AUD521: Meeting the Minimum: PCI/DSS 1.2: including Business Law This course covers the law of business, contracts, fraud,
crime, IT security, IT liability, and IT policy – all with a
Becoming and Staying Compliant
and Computer Security,
published by the SANS focus on electronically stored and transmitted records.
Institute. With 24 years LEG523 is a five-day package delivering the content of the GIAC Certification
Two-Day Course • 9:00am - 5:00pm • Tue, Sept 28 - Wed, Sept 29, 2010 www.giac.org
following one-day courses:
12 CPE Credits • Laptop Required • Instructor: SANS Staff in private law practice, he
The payment card industry has been working over the past several years to has advised many organi- Fundamentals of IT Security Law and Policy
formalize a standard for security practices that are required for organizations zations, large and small,
E-Records, E-Discovery, and Business Law
who process or handle payment card transactions. The fruit of this labor is the on privacy, e-commerce,
Payment Card Industry Data Security Standard (currently at version 1.2). computer security, and Contracting for Data Security and Other Technology
This standard, which started life as the Visa Digital Dozen, is a set of focused e-mail discovery and been The Law of IT Compliance: How to Conduct Investigations
comprehensive controls for managing the risks surrounding payment card quoted in publications Lessons will be invaluable to the proper execution of any kind of
transactions, particularly over the Internet. Of course, compliance validation
around the globe, from the internal investigation.
is one of the requirements. This course was created to allow organizations to
Wall Street Journal to the
exercise due care by performing internal validations through a repeatable, Applying Law to Emerging Dangers: Cyber Defense
objective process. While the course will cover all of the requirements of the Sydney Morning Herald. He In-depth review of legal response to the major security breach at TJX.
standard, the primary focus is on the technical controls and how they can be wrote and presented to
measured. Every student will leave the class with a toolkit that can be used to the Sri Lankan government Special Features! This legal offering will cover many recent
validate any PCI/DSS environment technically and the knowledge of how to use it. developments, including TJX, amendments to the Federal Rules
a report on technology
Register at Who Should Attend Sampling of Topics law, which contributed to of Civil Procedure pertaining to the discovery of electronic records Register at
www.sans.org/ • Managers overseeing PCI/DSS compliance • Requirements for compliance the adoption of national in litigation, and the torment Hewlett-Packard has endured www.sans.org/
• External auditors performing PCI/DSS validation • Compliance guidance for each control for spying on journalists and members of its board of directors.
pci-legal-info-tech- e-commerce legislation pci-legal-info-tech-
• Security professionals operating in a PCI/DSS • Suite of tools for validating technical compliance Hewlett-Packard employed its internal security team and outside
summit-2010 compliant environment • Explanation of alternative controls
in 2005. Wright maintains
investigators in ways that raised legal questions (can you say, summit-2010
• Internal auditors desiring to validate interim a popular blog at http:// “computer crime law”?) and led to criminal indictments. All security
• Discussion of determining scope for compliance
12 compliance requirements legal-beagle.typepad.com. professionals should know the lessons from these cases. 13
Real Threats, Real Skills, Real Success
T H E
SANS CYBER GUARDIAN
P R O G R A M
The Difference between Good and Great Programmers This course covers
Great programmers have traditionally distinguished themselves by the elegance, effectiveness, the OWASP Top
and reliability of their code. That’s still true, but elegance, effectiveness, and reliability have now 10 and the CWE/
been joined by security. Major financial institutions and government agencies have informed their SANS Top 25
internal development teams and outsourcers that programmers must demonstrate mastery of se- Programming
cure coding skills and knowledge, through reliable third-party testing, or lose their right to work on Errors which are
assignments for those organizations. More software buyers are joining the movement every week. important in Java
The Only Course Covering the Key Elements of Secure Application Development in Java development.
Such buyer and management demands create an immediate response from programmers,
“Where can I learn what is meant by secure coding?” This unique SANS course allows you Who Should Attend:
to bone up on the skills and knowledge being measured in the third-party assessments as • Developers who want to build
defined in the Essential Skills for Secure Programmers Using Java/JavaEE. (You can find the more secure applications
Essential Skills document at http://www.sans-ssi.org/blueprint_files/java_blueprint.pdf. ) • Java EE programmers
What Does the Course Cover? • Software engineers
This is a comprehensive course covering a huge set of skills and knowledge. It’s not a high • Software architects
level-theory course. It’s about real programming. In this course you will examine actual • Application security auditors
code, work with real tools, build applications, and gain confidence in the resources you need • Technical project managers
for the journey to improving security of Java applications. • Senior software QA specialists
Rather than teaching students to use a set of tools, we’re teaching students • Penetration testers who want a
concepts of secure programming. This involves looking at a specific piece deeper understanding of target
of code, identifying a security flaw, and implementing a fix for that flaw. applications or who want to pro-
vide more detailed vulnerability
Prerequisites Students should have at least one year’s experience working with the JEE remediation options
framework and should have thorough knowledge of Java language and Web technology.
This course is designed for every IT professional in your organization. In this course we cover the top techniques that
will show any attendee how to research and write professional quality reports, how to create outstanding presentation
materials, and as an added bonus, how to write expert witness reports. Attendees will also get a crash course on advanced
public speaking skills.
Writing reports is a task that many IT professionals struggle with, sometimes from the perspective of writing the report
and other times from the perspective of having to read someone else’s report! In the morning material we cover step by
step how to work through the process of identifying critical ideas, how to properly research them, how to develop a strong
argument in written form, and how to put it all down on paper. We also discuss some of the most common mistakes that
can negatively impact the reception of your work and show how to avoid them. Attendees can expect to see the overall
quality of their reports improve significantly as a result of this material.
Writing the presentation is only half of the battle, though. How do you stand up in front of a group of five or even five
thousand and speak? In the afternoon we will share tips and techniques of top presenters that you can apply to give
the best presentation of your career. Additionally, students will have the opportunity to work up and deliver a short
presentation to the class followed by some personal feedback from one of SANS’ top speakers.
Register at www.sans.org/network-security-2010
SANS Network Security 2010
September 19 - 29, 2010 15
MANAGEMENT SKILL-BASED SHORT COURSES
MGT404: Fundamentals of Information Security Policy
One-Day Course • 9:00am - 5:00pm • Sun, Sept 19, 2010 • 6 CPE Credits • Laptop Required • Instructor: Northcutt
Note: There is a lot of material to cover and we do not want to throttle discussion in class, this course may run past the
scheduled time.
This course is designed for IT professionals recently assigned security duties which include responsibility for creating and
maintaining policy and procedures.
The Fundamentals of Information Security Policy course focuses on how to write basic security policies that are issue or
system specific. The student will have a hands-on practical assignment writing a policy template not currently offered as
one of SANS policy templates.
Business needs change, the environment changes, new risks are always on the horizon, and critical systems are continually
exposed to new vulnerabilities. Policy development and assessment is a never ending process. This is a hands-on, exercise
intensive course on writing, implementing and assessing security policies. This course is for anyone who is responsible for
writing security policies and procedures.
Leadership is a capability that must be learned and developed to better ensure organizational success. The more
techniques we learn, the better our leadership capability becomes. It is brought primarily through selfless devotion to the
organization and staff, tireless effort in setting the example, and the vision to see and effectively use available resources
toward the end goal. Leaders and followers influence each other toward the goal, identified through a two-way street
where all parties perform their function to reach the overall objective.
Our focus is purely leadership-centric, we are not security-centric or technology-centric with this training opportunity. We
help an individual develop leadership skills that apply to commercial business, non-profit, not-for-profit, or other organiza-
tion. This course is designed to develop existing and new supervisors and managers who aspire to go beyond being the
boss and build leadership skills to enhance their organizational climate through team-building to enhance the organiza-
tional mission through growth in productivity, workplace attitude / satisfaction, and staff and customer relationships.
The manager/supervisor will learn vital, up-to-date knowledge and skills required to shift team paradigms to create a
more positive and cooperative atmosphere in the workplace. Essential leadership topics covered in this management
track include: Leadership Development, Coaching and Training, Employee Involvement, Conflict Resolution, Change
Management, Vision Development, Motivation, Communication Skills, Self-Direction, Brainstorming Techniques, Benefits,
and the ten core Leadership competencies. In a nutshell, this course covers critical processes that should be employed to
develop the skills and techniques to select, train, equip, and develop a team into a single cohesive unit with defined roles
that operate together in harmony toward team-objective accomplishment.
Social engineering attacks are on the rise all around the world. The Anti-Phishing Working Group reported that in the first
half of 2009, the number of known, unique phishing sites reached a high of 49,084 per month. Voice social engineering is
used to steal credit card numbers, employee credentials, and more. Companies are routinely targeted by attackers who are
increasingly skilled at manipulating employees to gain access to valuable information and /or facilities.
In this course, security and IT professionals will learn how to design an effective, ethical social engineering testing and
training program. Working in teams, students will take turns developing and practicing e-mail, phone and physical social
engineering techniques customized for their own organizations. Students will analyze case studies, accompanied by video
and audio clips. By the end of the class, each student will have developed a customized social engineering testing and
training program for their organization.
This advanced course is perfect for the diligent student familiar with core forensic methodology and techniques. If
you understand forensic filesystem fundamentals, then this course is for you. It moves quickly from covering memory
forensics to recovering and discovering deleted partitions from hard drives. This course focuses on innovative forensic
techniques and methodologies so that seasoned practitioners can keep their skills sharp and
Who Should Attend:
up-to-date with the latest research areas in both live and static-based disk forensics.
• System administrators and
You will receive: incident handling personnel
• Forensic analysis workstation VMware machine equipped to investigate forensic data who are trying to further
their knowledge in the latest
• Course DVD loaded with case examples, tools, and documentation forensic techniques
Prerequisites • Anyone who wants to learn
This advanced course is perfect for the diligent student conversant with file system forensic techniques. If you are just how file system partitions
beginning in digital forensics, this course is not appropriate for you, as the basics of digital forensics will not be covered. are structured
• Anyone who wants to learn
Topics Covered how to recover lost partitions
• File system structures and metadata • Following Microsoft Windows memory process from a physical disk image
• Partitioning schemes • The usefulness of collecting memory • Anyone who wants to learn
• Mapping out disk partitions by hand • Techniques to collect memory how to forensically recover
• Discovering lost partitions from a formatted drive • Memory analysis techniques artifacts from memory
• Windows memory structures collected from a machine.
The public is growing impatient with data leaks, as we can see from stricter laws, fallout surrounding reputational damage,
and law suits. This new focus makes information security a ‘bottom-line’ business requirement. When 40% of reported
data breaches are caused by human error, we must expand our attention to include the business processes supported by
information technology.
Please Note: While the
Data Leakage Prevention – In Depth provides professionals with time-tested methodologies course provides information
for detecting data leakage risks and identifying safeguards. When students return to work about legal obligations
they will be able to address their organization’s requirements for protecting confidential for protecting confidential
information, it is not offered
information, create a data leakage prevention team, conduct an information risk assessment,
as legal advice or as a
analyze possible weaknesses in technical systems, and recommend effective approaches for comprehensive educational
safeguarding systems and processes. program around your or
During class we will go in depth into technical subjects to discuss how confidential information your organization’s legal
obligations. For more
gets into the wrong hands. For example, a good security design is pertinent to the storage of information in these areas,
critical information in databases, Web applications, e-mail, cloud computing, VPNs, and many please consider taking one of
other technologies. The course will demystify encryption, text pattern matching, outsourcing, the SANS legal courses.
cloud computing, and social networking as they relate to DLP. Moreover, other relevant issues
include the fact that outsiders, including the general public and hackers, can also access confidential information through
low-tech means, like paper, social engineering, physical access, and portable storage media. The course will teach you
about the data leakage risks in all of these areas and more and will demonstrate safeguards with hands-on exercises.
This course provides a comprehensive discussion of DLP requirements and provides techniques for students to determine
and evaluate their organization’s DLP risks. The material presents both technical and management subject matter and is de-
signed for technical professionals who are responsible for protecting the confidential information within their organization.
Register at www.sans.org/network-security-2010
SANS Network Security 2010
September 19 - 29, 2010 17
SECURITY SKILL-BASED SHORT COURSES
SEC546: IPv6 Essentials
One-Day Course • 9:00am - 5:00pm • Sun, Sept 26, 2010 • 6 CPE Credits • Laptop Required • Instructor: Ullrich
Your network may not be ready for IPv6, but operating systems and network devices will not hold back. Already, modern
operating systems implement IPv6 by default. Windows 7, for example, ships with Teredo enabled by default. Your
existing firewall may not block it. Learning more about IPv6 is essential to securing your network. This course is designed
not just for implementers of IPv6, but also for those who just need to learn how to detect IPv6 and defend against threats
unintentional IPv6 use may bring.
Information is power! Never before in the history of mankind has so much information, been so readily available to so
many people. The trick is knowing where to look and how to look for it. An amazing amount of information is often
only a few skilled keystrokes away from anyone who wants it and knows how to access it. This course guides you on an
exciting and all too often disturbing journey through the World Wide Web (a.k.a Wild Wild Web) in search of actionable
information about people, process, and technology using open-source sources scattered throughout the far reaches of
cyberspace. You will learn about numerous sources, how to leverage Google Hacking effectively, and how to use the tools
of the trade as well as the mindset needed to maximize it all. Bottom line - if they know more than you do, they win...
Please note that this class overlaps with SEC503: Intrusion Detection course substantially and should not be taken together.
Knowing how to decode network traffic is a skill requirement for any serious network or information security
administrator. Being able to decode the bits and bytes that represent mission-critical networks will give you the skills to
identify malicious activity, troubleshoot network failures, and analyze other desirable or undesirable network events.
This class will give you the skills necessary to decode network traffic with open-source tools available for Unix and
Windows systems. Students will learn advance pcap packet filtering methods to decode and manipulate network traffic
using tcpdump and use Wireshark to extract files (pictures, documents, executable, etc) from a data stream for malware
recovery, incident response and forensics analysis. You’ll be able to use these new skills to analyze current or future
network protocols and gain a better understanding of your network traffic. The tools covered in this class are: Windump/
TCPdump, Wireshark, Mergecap, Unix file command, and a Hex Editor.
Have you ever written a new Snort rule but had no test traffic to see if it alerts? Have you ever tried to craft traffic to
perform some pen testing using a restrictive command line packet crafting tool, but gave up because it couldn’t do what
you wanted it to do? Have you ever wondered if your firewall would block certain traffic? You feel a bit defeated because
you know what you want to do...you just don’t have the proper tool or wherewithal to do it.
The course author exhausted the limitations of command line tools when she was tasked with crafting overlapping TCP
segments – ones with the same TCP sequence numbers, but different payloads in the middle of an established session.
There is no command line tool that allows you to do this with complete control of packet header and payload values.
Attempting this using C or some other programming language seemed daunting. She learned that crafting packets using
scapy is not an arcane skill used only by advanced programmers; it is straightforward and fairly easy using the foundation
delivered in this one-day course.
One of today’s most rapidly evolving and widely deployed technologies is server virtualization. It cannot be stressed
Many organizations are already realizing the cost savings from implementing virtualized servers, enough that if your laptop
and systems administrators love the ease of deployment and management for virtualized sys- does not meet minimum
tems. There are even security benefits to virtualization – easier business continuity and disaster configuration requirements,
recovery, single points of control over multiple systems, role-based access, and additional audit- you will not be able to
participate in this course.
ing and logging capabilities for large infrastructures.
With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and
exploits and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration
options that security and system administrators need to understand, with an added layer of complexity that has to be
managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks
and require careful planning with regard to access controls, user permissions, and traditional security controls.
Prerequisites: Basic knowledge of systems and networking, some exposure to VMware ESX is helpful but not essential.
Many enterprises today face regulatory or compliance requirements that mandate regular penetration testing and vulner-
ability assessments. Commercial tools and services for performing such tests can be expensive. While really solid free
tools such as Metasploit, are available, many testers do not understand the comprehensive feature sets of such tools and
how to apply them in a professional-grade testing methodology. Metasploit was designed to help testers with confirming
vulnerabilities using an Open Source and easy to use framework. This Official Metasploit Course will help students get the
most out of this free tool. Learn how to apply the incredible capabilities of the Metasploit Framework in a comprehensive
penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective
tests. Upon completion, you will have a firm understanding of how Metasploit can fit into your penetration testing and
day-to-day assessment activities.
Register at www.sans.org/network-security-2010
SANS Network Security 2010
September 19 - 29, 2010 19
SECURITY
566
Who Should Attend Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm
• Information assurance auditors 30 CPE Credits • Laptop Required • Instructor: Bryce Galbraith
• System implementers/
administrators This course helps you master specific, proven
• Network security engineers techniques and tools needed to implement and
• IT administrators audit the Top Twenty Most Critical Security Controls.
• DoD personnel/contractors These Top 20 Security Controls, listed below, are rapidly becoming accepted as the
• Federal agencies/clients highest priority list of what must be done and proven before anything else at nearly
all serious and sensitive organizations. These controls were selected and defined by
• Private sector organizations
looking for information the US military and other government and private organizations (including NSA, DHS,
assurance priorities for securing GAO, and many others) who are the most respected experts on how attacks actu-
their systems ally work and what can be done to stop them. They defined these controls as their
consensus for the best way to block the known attacks and the best way to help find
• Security vendors and consulting
and mitigate damage from the attacks that get through. For security professionals, the
groups looking to stay current
with frameworks for information course enables you to see how to put the controls in place in your existing network
assurance through effective and widespread use of cost-effective automation. For auditors,
CIOs, and risk officers, the course is the best way to understand how you will measure
• Alumni of SEC/AUD440, SEC401,
whether the Top 20 controls are effectively implemented. It closely reflects the Top 20
SEC501, SANS Audit classes, and
MGT512 Critical Security Controls found at http://www.sans.org/critical-security-controls.
One of the best features of the course is that it uses offense to inform defense. In
other words, you will learn about the actual attacks that you’ll be stopping or miti-
gating. That makes the defenses very real, and it makes you a better security person.
Top 20 Critical Security Controls
Critical Controls Subject to Automated Collection, 11 Account Monitoring and Control
Measurement, and Validation: 12 Malware Defenses
1 Inventory of Authorized and Unauthorized Devices 13 Limitation and Control of Network Ports, Protocols,
2 Inventory of Authorized and Unauthorized Software and Services
3 Secure Configurations for Hardware and Software on 14 Wireless Device Control
Laptops, Workstations, and Servers 15 Data Loss Prevention
4 Secure Configurations of Network Devices Such as
Firewalls, Routers, and Switches Additional Critical Controls (not directly supported by
5 Boundary Defense automated measurement and validation):
6 Maintenance and Analysis of Security Audit Logs 16 Secure Network Engineering
7 Application Software Security 17 Penetration Tests and Red Team Exercises
8 Controlled Use of Administrative Privileges 18 Incident Response Capability
9 Controlled Access Based On Need to Know 19 Data Recovery Capability
Certified Instructor 10 Continuous Vulnerability Assessment and Remediation 20 Security Skills Assessment and Training to Fill Gaps
Bryce Galbraith
Bryce began his IT journey at 10 years of age with a Commodore 64 and a 300 baud modem. As a contributing author of the
internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of
hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 compa-
nies as well as being a senior member of Foundstone’s world renowned attack and penetration team. Bryce also served as
senior instructor and co-author of Foundstone’s Ultimate Hacking: Hands-On series. He has taught the art of ethical hacking
and countermeasures to thousands of IT professionals from a “who’s who” of top companies, financial institutions, and govern-
ment agencies around the globe. Bryce teaches SEC504, SEC560, and SEC401 for SANS. Bryce is an active member of several
security-related professional organizations, speaks at a variety of conferences, and holds a number of certifications: CISSP,
GCIH, GSEC, CEH, CHFI, Security+, and CCNA. Bryce is currently lead consultant and co-founder of Layered Security. Bryce also
blogs about security issues at http://blog.layeredsec.com.
301
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm Who Should Attend
30 CPE Credits • Instructor: Fred Kerby • Persons new to information
technology (IT) who need
This introductory to understand the basics of
information assurance, computer
certification course is the networking, cryptography, and
fastest way to get up to speed risk evaluation
in information security. • Managers and information
security officers who need a
Written and taught by battle-scarred security
basic understanding of risk
veterans, this entry-level course covers a broad management and the tradeoffs
spectrum of security topics and is liberally between confidentiality, integrity,
sprinkled with real life examples. A balanced and availability
mix of technical and managerial issues makes • Managers, administrators, and
this course appealing to attendees who need auditors who need to draft,
to understand the salient facets of information update, implement, or enforce
security and risk management. Organizations policy
often tap someone who has no information
Senior Instructor
security training and say, “Congratulations, you are
Fred Kerby now a security officer.” If you need to get up to
Fred is an engineer,
speed fast, Security 301 rocks!
manager, and security
practitioner whose experi- We begin by covering basic terminology
ence spans several genera- and concepts, and then move to the basics
tions of networking. He is of computers and networking as we discuss
the information assurance Internet Protocol, routing, Domain Name Service,
manager at the Naval and network devices. We cover the basics of
Surface Warfare Center, cryptography, and wireless networking, then
Dahlgren Division and has we look at policy as a tool to effect change in your
vast experience with the organization. In the final day of the course, we put it all
political side of security inci- together with an introduction to defense in-depth.
dent handling. His team is If you’re a newcomer to the field of information security, this
one of the recipients of the is the course for you! You will develop the skills to bridge “This fundamental
SANS Security Technology the gap that often exists between managers and system course sets the
Leadership Award as well administrators and learn to communicate effectively with groundwork for
as the Government Tech- personnel in all departments and at all levels within your a successful future
nology Leadership Award. organization. in IT security.”
Fred received the Navy This is the course SANS offers for the professional just starting -BRIAN FRICKE,
Meritorious Civilian Service out in security. If you have experience in the field, please US NAVY/MSC
Award in recognition of his consider our more advanced offerings, such as SEC401: SANS
technical and management Security Essentials Bootcamp Style.
leadership in computer
and network security. A
frequent speaker at SANS, Register at
Fred’s presentations reflect www.sans.org/
his opinions and are not the network-security-2010
opinions of the Department
17
21
GIAC Certification DoD 8570 Required SANS Network Security 2010
of the Navy. www.giac.org www.sans.org/8570 September 19 - 29, 2010
D E V E LO P E R
522
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Application developers 36 CPE Credits • Laptop Required • Instructor: Johannes Ullrich, PhD
• Application security
analysts or managers Defending Web applications is critical!
• Application architects
In battle an attacker is exposed and at massive
• Penetration testers who are interested disadvantage when fighting against a well entrenched
in learning about defense strategies
defender. This course will teach you how to build defense-in-
• Security professionals who are depth, allowing you to detect and expose an attacker early. Learn
interested in learning about
about the ‘tripwires and obstacles’ that savvy defenders use to
application security
detect, channel, and thwart attacks! The course material distills
• Auditors who need to understand
the experience of two top defenders of embattled Web sites, and
defensive mechanisms in applications
builds on the industry consensus research of the CWE/SANS Top
25 programming errors (CWE 25) and the OWASP Top 10.
Mitigation strategies from an infrastructure, architecture,
and coding perspective will be discussed alongside real-
world implementations that really work. The testing aspect
of vulnerabilities will also be covered so you can ensure your
application is tested for the vulnerabilities discussed in class.
The class goes beyond classic Web applications and includes
coverage of Web 2.0 technologies like AJAX and Web services.
To maximize the benefit for a wider range of audiences, the
discussions in this course will be programming language agnostic.
Focus will be maintained on security strategies rather than coding level
implementation.
AUTHOR STATEMENT
Too many Websites are getting compromised these days. The course will cover the topics outlined by OWASP’s Top 10 risks
Our goal for this course is to arm the students with de- document, as well as additional issues the authors found of importance
fensive strategies that can work for all Web applications. in their day-to-day Web application development practice. An example
We all know it is very difficult to defend a Web applica- of the topics that will be covered include:
tion; there are so many different types of vulnerabilities
and attack channels. Overlook one thing and your Web • Infrastructure security • Cross site request forging
app is owned. The defensive perimeter needs to extend • Server configuration • Authentication bypass
far beyond just the coding aspects of Web application.
• Authentication mechanisms • Web services and related flaws
In this course, we cover the security vulnerabilities so
students have a good understanding of the problems • Application language configuration • Web 2.0 and it’s use of Web services
at hand. We then provide the defensive strategies and • Application coding errors like SQL injection • XPATH and XQUERY languages and injection
tricks as well as overall architecture that are proven to and cross site scripting • Business logic flaws
help secure sites. I have also included some case studies
throughout the course so we can learn from the mistakes
of others and make our own defense stronger. The The course will make heavy use of hands-on exercises. It will conclude
exercises in class were designed to help you further the with a large defensive exercise, reinforcing the lessons learned
understanding and help retain the knowledge by hands- throughout the week.
on practice. By the end of the course, you will have
the practical skills and understanding of the defensive
strategies to lock down existing applications,as well as This course covers the OWASP Top 10 and
building more secure applications in the future. -Jason
Lam and Johannes Ullrich, PhD the CWE/SANS Top 25 Programming Errors
which are important in Java development.
22 SANS Network Security 2010
September 19 - 29, 2010
522.1 Hands On: Web Basics and Authentication Security*
We begin with an overview of the software development life cycle and security. Proper security control and
process during development is essential to having secure applications, as well as the essential technologies
that are at play in Web applications. You can’t win the battle if you don’t understand what you are trying to
defend. Learn how Web applications work and the security concepts related to them. We discuss the authen-
tication aspect of Web applications in depth, including the vulnerabilities, followed by examples of exploita-
tion and the mitigations that could be implemented in the short and long term. Learn the right way of plan-
ning for access during the development life cycle and the common pitfalls with access control by starting
with the vulnerabilities, mitigation and testing, followed by a section on the best practice on authorization.
Topics: HTTP Basics; Overview of Web Technologies; Web Application Architecture; Recent Attack Trends;
Authentication Vulnerabilities and Defense; Authorization Vulnerabilities and Defense
507
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Auditors seeking to identify key 36 CPE Credits • Laptop Required • Instructor: David Hoelzer
controls in IT systems
• Audit professionals looking for
technical details on IT auditing One of the most significant obstacles
• Managers responsible for overseeing the facing many auditors today is how exactly
work of an IT audit or security team to go about auditing the security of an enterprise.
• Security professionals newly tasked with
audit responsibilities What systems really matter? How do we prioritize the audits that
• System and network administrators need to be performed and determine the scope of each? How do
looking to better understand what an you validate the security of the perimeter? What settings should
auditor is trying to achieve, how they think, be checked on the various systems under scrutiny? Which set of
and how to better prepare for an audit
processes can be put into place to allow an auditor to focus on the
• System and network administrators
seeking to create strong change control business processes rather than the security settings?
management and detection systems for This course is organized specifically to provide a risk-driven method
the enterprise
for tackling the enormous task of designing an enterprise security
validation program. After covering high-level audit issues and general
audit best practice, students will have the opportunity to dive into the
technical how-to for determining the key controls that can be used to
provide a level of assurance to an organization. Tips on how to repeat-
edly verify these controls and techniques for automatic compliance
validation will come from real-world examples.
One of the struggles that IT auditors face is helping management
understand the relationship between the technical controls and the
risks to the business. The instructor will use validated information from
real-world situations to explain how they can be used to raise the aware-
AUTHOR STATEMENT ness of management and others within the organization to understand
This advanced systems audit course stands alone in why these controls specifically, and auditing in general, is important.
the information assurance arena as the only com-
Each student is invited to bring a Windows XP Professional or higher
prehensive source for hands-on audit how-to. Past
students have included long-time auditors and those laptop for use during class. Macintosh computers running OS X may
new to the field, both of whom have found significant also be used with VMware Fusion.
benefit from the refresher material. A vice president
with the Institute of Internal Auditors said, “I’ve been A great audit is more than marks on a checklist; it is the understanding
auditing systems for a very long time, and no one ever of the underlying controls, knowing what the best practices are, and
actually gave me a formal process that I can apply to having enough information to understand why. Sign up for this course
conducting technical audits. Thank you!” While we and experience the mix of theory, hands-on, and practical knowledge.
don’t require a high level of technical experience as
a prerequisite to this course, we have worked hard to
make sure that anyone who comes to the course walks
away with a wealth of material that they can go back
to their office and apply tomorrow. We realistically
address the problem -- how do I get there from here?
-- by offering short-term goal solutions, which, when
combined, will allow you to achieve your goal: identify,
report on, and reduce risk in your enterprise.
-David Hoelzer
24 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu
Auditing Networks, Perimeters, and Systems is a hands-on course and is the most compre-
hensive, most technically advanced audit course on planet earth! Entry level IT auditors tend to earn
$40,000 - $65,000 while more advanced auditors can earn up to $95,000. Those with the coveted GSNA
certification often earn 8% more than those without.
for a variety of organizations. For 507.3 Hands On: Network Auditing Essentials
the last ten years, David has been This day continues where day two left off, extending network and perimeter auditing to internal
the director of research for Cyber- system validation and vulnerability testing, helping network security professionals to see how
Defense and the principal examiner to use the tools and techniques described to audit, assess, and secure a network in record time.
Following a defense-in-depth approach, learn how to audit perimeter devices, create maps of
for Enclave Forensics. In addition active hosts and services, and assess the vulnerability of those services. Hands-on exercises are
to day-to-day responsibilities, he conducted throughout the day so students have the opportunity to use the tools.
has acted as an expert witness Topics: Introduction; War Dialing; Wireless; Mapping Your Network; Configuration Auditing of Key Services;
Analyzing the Results; Follow-on Activities
for the Federal Trade Commission
and continues to teach at major 507.4 Hands On: Web Application Auditing
SANS events, teaching security We’ll start with the underlying principles of Web technology and introduce a set of tools
that can be used to validate the security of these applications. Then we will build and work
professionals from organizations
through a checklist for validating the existence and proper implementation of controls to
including NSA, USDA Forest Service, mitigate the primary threats found in Web applications.
Fortune 500 security engineers and Topics: Identify Controls Against Information Gathering Attacks; Process Controls to Prevent Hidden Information
Disclosures; Control Validation of the User Sign-on Process; Examining Controls Against User Name
managers, DHHS, various DoD sites, Harvesting; Validating Protections Against Password Harvesting; Best Practices for OS and Web Server
national laboratories, and many Configuration; How to Verify Session Tracking and Management Controls; Identification of Controls to Handle
Unexpected User Input; Server-side Techniques for Protecting Your Customers and Their Sensitive Data
colleges and universities. From
time to time David also speaks 507.5 Hands On: Advanced Windows Auditing
nationally and internationally on Systems based on the Windows NT line (XP, 2003, Vista, 2008 and Windows 7) make up a
large part of the typical IT infrastructure. Quite often, these systems are also the most dif-
various security topics. David also ficult to effectively secure and control. This class gives you the keys, techniques, and tools
blogs about IT Audit issues at the to build an effective long term audit program for your Microsoft Windows environment.
SANS It Audit blog. Topics: Progressive Construction of a Comprehensive Audit Program; Automating the Audit Process;
Windows Security Tips and Tricks; Maintaining a Secure Enterprise
https://blogs.sans.org/it-audit
507.6 Hands On: Auditing Unix Systems
Students will gain a deeper understanding of the inner workings and
“I can immediately implement fundamentals of the Unix operating system as applied to the major
Register at
and manage the included Unix environments in use in business today. Students will get to
explore, assess, and audit Unix systems hands-on. Neither Unix www.sans.org/
tools to see an instant return nor scripting experience is required for this day. network-security-2010
on investment.” Topics: Auditing to Create a Secure Configuration; Auditing to Maintain a
-DAVID LIPSHAW THE WILLS GROUP, INC.
Secure Configuration; Auditing to Determine What Went Wrong SANS Network Security 2010
September 19 - 29, 2010 25
FORENSICS
408
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Information technology professionals 36 CPE credits • Laptop Required • Instructor: Rob Lee
who wish to learn core concepts in
computer forensics investigations and
e-discovery Master computer forensics.
• Law enforcement officers, federal agents, Learn essential investigation techniques.
or detectives who desire to be introduced With today’s ever-changing technologies and environments, it
to core forensic techniques and topics
is inevitable that organizations will deal with some form of cyber
• Information security managers who crime, such as computer fraud, insider threat, industrial espionage, or
need a digital forensics background in
order to manage investigative teams and phishing. As a result, many organizations are hiring digital forensic
understand the implications of potential professionals and are callling cybercrime law enforcement agents to
ligation-related issues help fight and solve these types of crime.
• Information technology lawyers and FOR408: Computer Forensic Essentials focuses on the essentials that
paralegals who need to understand the
basics of digital forensic investigations a forensic investigator must know to investigate core computer crime
incidents successfully. You will learn how computer forensic analysts
• Anyone interested in computer forensic
investigations with some background in focus on collecting and analyzing data from computer systems to
information systems, information security, track user-based activity that could be used internally or in civil/
and computers criminal litigation.
This course covers the fundamental steps of the in-depth computer
forensic methodology so that each student will have the complete
qualifications to work as a computer forensic investigator in the field
helping solve and fight crime. This is the first course in the SANS
Computer Forensic Curriculum. If this is your first computer forensics
course with SANS, we recommend that you take this introductory course
first to set a strong foundation for the full SANS Computer Forensic
Curriculum.
AUTHOR STATEMENT
SANS COMPUTER FORENSICS GRADUATE THWARTS BANK FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.
HEIST. Headlines similar to these are now a reality as
former students have e-mailed me regularly about
how they were able to use their digital forensic skills in With this course, you will receive a FREE SANS Investigative Forensic
very real situations. Graduates of Computer Forensics Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit.
Essentials are the front line troops deployed when The entire kit will enable each investigator to accomplish proper and
incidents occur. From stopping online bank heists to
secure examinations of SATA, IDE, or Solid State Drives (SSD). The toolkit
logic bombers trying to destroy data that could affect
many lives, SANS digital forensic graduates are bat- consists of:
tling and winning the war on crime. Graduates have • Free SANS Investigative Forensic Toolkit (SIFT)
described solved cases involving computer break-ins, - One Tableau T35es eSATA Forensic Bridge
intellectual property theft, fraud, and, in some cases,
- IDE Cable/Adapters
internal infractions by belligerent employees. Knowing
that this course places the correct methodology and - SATA Cable/Adapters
knowledge in the hands of responders who thwart the - FireWire and USB Cable Adapters
plans of criminals or foreign cyber attacks brings me - Forensic Notebook Adapters (IDE/SATA)
great comfort. Graduates are doing it. Daily. I am proud - HELIX Incident Response and Computer Forensics Live CD
that the Computer Forensics Essentials course at SANS
helped prepare them to fight and solve crime. - Rob Lee
• SANS Windows XP Forensic Analysis VMware Workstation
• Course DVD: Loaded with case examples, tools, and documentation
26 SANS Network Security 2010
September 19 - 29, 2010
SANS Computer Forensic Web site http//computer-forensics.sans.org
The learning does not end when class is over. SANS Computer Forensic Web site is a community-focused
site offering digital forensics professionals a one-stop forensic resource to learn, discuss, and share current
developments in the field. It also provides information regarding SANS forensics training, GIAC certification,
and upcoming events. Visit http://computer-forensics.sans.org. New content is added regularly, so please
visit often. In addition, do not forget to share this information with your fellow forensic professionals.
508
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Incident response team 36 CPE Credits • Laptop Required • Instructors: Mike Murr; Richard Salgado (Day 5)
members that respond to
complex security incidents/intrusions and need
computer forensics to help solve their cases Data breaches and advanced intrusions are
• Computer forensic professionals who want to so- occurring daily.
lidify and expand their understanding of file system
Sensitive data and intellectual property is stolen from systems that
forensics and incident response related topics
are protected by sophisticated network and host-based security. A
• Law enforcement officers, federal agents, or motivated criminal group or nation state can and will always find a way
detectives who want to master computer forensics
inside enterprise networks. In the commercial and government sectors,
and expand their investigative skill set to include
data breach investigations and intrusion cases hundreds of victims responded to serious intrusions costing millions of
dollars and loss of untold terabytes of data. Cyber attacks originating
• Information security professionals with some
from China dubbed the Advanced Persistent Threat have proved difficult
background in hacker exploits, penetration testing,
and incident response to suppress. FOR508 will help you respond to and investigate these
incidents.
• Information security managers who would like to
master digital forensics to understand information This course will give you a firm understanding of advanced incident
security implications and potential litigation or response and computer forensics tools and techniques to investigate
manage investigative teams data breach intrusions, tech-savvy rogue employees, advanced persistent
threats, and complex digital forensic cases.
Utilizing advances in spear phishing, Web application attacks, and persis-
tent malware, these new sophisticated attackers advance rapidly through
your network. Incident responders and digital forensic investigators
must master a variety of operating systems, investigation techniques,
incident response tactics, and even legal issues in order to solve challeng-
ing intrusion cases. FOR508 will teach you critical forensic analysis tech-
niques and tools in a hands-on setting for both Windows- and Linux-based
investigations.
AUTHOR STATEMENT Attackers will use anti-forensic techniques to hide their tracks. They use
“There are people smarter than you, they have more resources rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex
than you, and they are coming for you. Good luck with that.” malware to hide in plain sight, avoiding detection by standard host-based
Matt Olney said when describing the Advanced Persistent security measures. Everything will leave a trace; you merely need to know
Threat. He was not joking. The results over the past several where to look.
years clearly indicate that hackers employed by nation states
and organized crime are racking up success after success. The Learning more than just how to use a forensic tool, by taking this course
Advanced Persistent Threat has compromised hundreds of you will be able to demonstrate how the tool functions at a low level. You
organizations. Organized crime utilizing botnets are exploiting will become skilled with new tools, such as the Sleuthkit, Foremost, and the
ACH fraud daily. Similar groups are penetrating banks and mer- HELIX3 Pro Forensics Live CD. SANS’ hands-on technical course arms you
chants stealing credit card data daily. Fortune 500 companies with a deep understanding of the forensic methodology, tools, and tech-
are beginning to detail data breaches and hacks in their annual niques to solve advanced computer forensics cases.
stockholders reports. The enemy is getting better, bolder, and
their success rate is impressive. We can stop them. We need to FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.
field more sophisticated incident responders and digital forensic
investigators. We need lethal digital forensic experts that can
detect and eradicate advanced threats immediately. A properly
trained incident responder could be the only defense your orga- Prerequisites:
nization has left in place during a compromise. FOR508 is crucial It is highly recommend-
training for you to become a lethal forensicator to step up to ed that each student
these advanced threats. The enemy is good. We are better. This attend FOR408 prior to
course will help you become one of the best. - Rob Lee taking this course or
have equivalent digital
forensic experience in
28 SANS Network Security 2010 the field. GIAC Certification Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/cyber-guardian
Computer Forensic Investigations and Incident Response is one of SANS’ most advanced and
challenging courses. People with GCIA and GCFA certifications often land some of the most challenging
jobs in information security. They have solved crimes that have appeared on the evening news.
558 Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm
30 CPE Credits • Instructor: Jonathan Ham
Who Should Attend
Laptop not required – each student will receive a FREE 10” mini laptop loaded
• Network and/or computer
with Network Forensics tools that you can take home.
forensic examiners
• Computer incident response Want to analyze DNS tunnel traffic?
team members
Carve cached Web pages out of central
• Security architects
Squid proxies? Extract JPGs and GIFs from
• Security administrators
Snort packet captures for forensic investigations?
• Law enforcement
Network equipment, such as Web proxies, firewalls, IDS, routers, and
• Anyone responsible for orchestrating a even switches, contain evidence that can make or break a case. In
corporate or government network for
FOR558 you’ll learn how to recover evidence from network-based
evidence acquisition in the face of a
criminal or civil investigation devices and use it to build your case.
The first day we dive right into DNS tunnel The SNIFT Kit consists of:
analysis, DHCP log examination, and sniffing • Lenovo IdeaPad S10 –
10” Mini Laptop!
traffic. By day two, you’ll be extracting tun- • SANS VMware-based Forensic
neled flow data from DNS NULL records and Analysis Network, complete
extracting evidence from firewall logs. On with:
- Squid Web Proxy
day three, we analyze Snort captures and the - Firewall
Web proxy cache. You’ll carve out cached Web - Snort IDS
- Web Servers
pages and images from the Squid Web proxy. - DNS server
For the last two days, you’ll be part of a live - DHCP server
- … and more!
hands-on investigation. Working in teams, you’ll
• SANS Network Forensic
use network forensics to solve a crime and present Workstation, installed with:
your case. - Packet Tools (tcpdump,
AUTHOR STATEMENT
Wireshark, ngrep, tcpxtract
Computer forensics has traditionally focused on During hands-on exercises, we will use tools, such and others)
file recovery and filesystem analysis performed as tcpdump, Snort, ngrep, tcpxtract, and Wireshark, - Log Analysis Tools (Splunk,
against system internals or seized storage devices. squidview, and more)
to understand attacks and trace suspect activity. - Custom-written tools
However, the hard drive is only half the story.
Each student will be given a virtual network to from the Network Forensics
These days evidence almost always traverses the
community (pcapcat, oftcat,
network and sometimes is never stored on a hard analyze and will have the opportunity to conduct
&more)
drive at all. Network forensics can reveal who forensic analysis on a variety of devices. • Course Netbook loaded with
communicated with whom, when, how, and how Underlying all of our forensic procedures is a solid case examples!
often. It can uncover the low-level addresses of
the systems communicating, which investigators
forensic methodology. This course complements
can use to trace an action or conversation back to FOR408: Computer Forensic Essentials, using the same fundamental method-
a physical device. The entire contents of e-mails, ology to recover and analyze evidence from network-based devices.
IM conversations, Web surfing activities, and file A hard drive is just a small part of the picture. Even if an attacker is smart
transfers can be recovered and reconstructed
enough to clean up tracks on the victim system, remnants remain in firewall
to reveal the original transaction. More impor-
tantly, the protocol data that surrounded each logs, Web proxy caches, and other sources. FOR558: Network Forensics
conversation is often extremely valuable to the teaches students how to follow the attacker’s footprints and analyze
investigator, and this data can only be acquired evidence throughout the network environment.
from network-based devices. The payload inside As a part of this course you will receive a SANS Network Investigative Forensics Toolkit (SNIFT).
the packet at the highest layer may end up on disc, With your SNIFT Kit, you will gain first-hand experience in collecting and analyzing evidence
but the envelope that got it there is only captured
recovered from a network under investigation—and you can take it home with you!
in the network traffic. Network forensics can
reveal evidence that is crucial to building a case. PREREQUISITE: Students should have some familiarity with basic networking fundamentals, such as
-Jonathan Ham the OSI model and basics of TCP/IP. Please ensure that you can pass the SANS TCP/IP & Hex Knowledge
quiz. Students should also have basic familiarity with Linux or willingness to learn in a Linux-based
30 SANS Network Security 2010
September 19 - 29, 2010 environment.
“This course is amazing. Not only are we covering an extensive
range of topics, we are doing lab work for each topic so that we
can be comfortable with the new material. Love the class!”
-DEBORAH GOSHORN, NAVAL POSTGRADUATE SCHOOL
Certified Instructor 558.2 Hands On: Active Evidence Acquisition and Covert Tunnels*
Jonathan Ham We’ll begin with covert ICMP and DNS tunnels. You’ll extract tunneled TCP and IP packets from DNS
Jonathan is an independent NULL records and use active evidence collection methods to uncover the rogue system administrator’s
consultant who specializes in secret plot! By the afternoon we’ll conduct hands-on active evidence acquisition. You’ll inspect router
large-scale enterprise secu- ARP tables and firewall logs. Volatility and collection methods vary depending on configuration,
manufacturer, and the environment. We’ll also cover ways that investigators can compensate for less-
rity issues, from policy and than-ideal network environments, using publicly available forensic evidence acquisition tools.
procedure, through staffing Topics: Data Tunneling In-Depth; A Formal Network-Based Investigative Methodology; Active and Interactive Evidence
and training, to scalable Acquisition
prevention, detection, and
response technology and 558.3 Hands On: Firewalls, IDS, Proxies, and Data Reconstruction*
techniques. With a keen under- Active evidence acquisition is the focus of day three. We’ll analyze IDS/IPS, central logging servers, and
standing of ROI and TCO (and Web proxies such as Squid, during hands-on exercises throughout the day. By the end of day three,
students will be using hex editors to carve cached evidence out of Web proxies and reconstruct Web
an emphasis on process over
surfing histories using only the central Web proxy logs.
products), he has helped his
Topics: Network Log Analysis In-Depth; Network Intrusion Detection & Analysis with Snort; Web Proxies, Encryption, & SSL
clients achieve greater success Interception
for over 12 years, advising in
both the public and private 558.4 Hands On: Network Forensics Unplugged*
sectors, from small upstarts At the beginning of the day, we will discuss wireless access point investigations and then learn about
to the Fortune 500. He’s been techniques for presenting digital evidence in court. After lunch we will begin our Capstone Case
commissioned to teach NCIS Study in which students will work as investigative teams, presented with a realistic scenario and a
virtual network. You will identify sources of evidence, collect the evidence, reconstruct content, solve
investigators how to use Snort,
the crime, and present your analysis in “court.”
performed packet analysis
Topics: Wireless Access Point Investigations; Digital Evidence Court Primer; Capstone Case Study: Investigate a Crime and
from a facility more than 2,000 Present the Evidence
feet underground, and char-
tered and trained the CIRT for 558.5 Hands On: Capstone Investigation*
one of the largest U.S. civilian Working in investigative teams, students will use forensic analysis tools to build a coherent picture
federal agencies. He currently of the crime. We will investigate by carving files out of raw network traffic and extracting sensitive
holds the CISSP, GSEC, GCIA, data hidden in ICMP payloads. We will trace the attack to its source by correlating activity with
firewall logs, central server logs, IDS logs, and other network-based evidence. Finally, we will
and GCIH certifications and is a
identify one of our suspects by reconstructing cached Web content, analyzing DHCP logs,
member of the GIAC Advisory and implementing passive OS fingerprinting techniques. After using this evidence
Board. A former combat medic, to build a solid case, we will develop a cohesive picture of the crime and discuss
Jonathan still spends some of techniques for presenting supporting evidence in deposition.
his time practicing a different Topics: Capstone Case Study: Investigate a Crime and Present the Evidence, cont.; Trace the Register at
Attack to its Source by Correlating: Firewall Logs, Central OS Logs, IDS Logs, and
kind of emergency response, more; Reconstruct Web Histories and Cached Web Content; Analyze DHCP Logs; www.sans.org/
volunteering and teaching for Fingerprint a Suspect’s Computer; Identify the Suspect using Network-based network-security-2010
Evidence; Build a Case and Discuss Techniques for Presenting in Court
both the National Ski Patrol
and the American Red Cross. *This course is available to Forensics 558 participants only.
SANS Network Security 2010
September 19 - 29, 2010 31
FORENSICS
563
Who Should Attend Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm
• Information security 30 CPE Credits • Laptop Required • Instructor: SANS Staff
professionals responsible for
investigating misuse of mobile
devices by employees and for Mobile device forensics is a rapidly evolving field,
responding to attacks against and creating exciting opportunities for practitioners in
theft of mobile devices
• Forensic investigators who want to pro-
corporate, criminal, and military settings.
cess mobile devices in a forensically sound Written for students who are both new to and already familiar with
manner and use the resulting evidence in mobile device forensics, this hands-on course provides the core
their work
knowledge and skills that a digital forensic investigator needs to process
• IT managers who need to understand the
relevance of mobile devices in security cell phones, PDAs, and other mobile devices. Using state-of-the art
breaches, policy violations, criminal tools, you will learn how to forensically preserve, acquire, and examine
activities, civil suits, and any resulting data stored on mobile devices and utilize the results for internal
proceedings
investigations or in civil/criminal litigation.
• IT auditors who need tools and techniques
for investigating mobile devices to ensure With the increasing prevalence of mobile devices, digital forensic
they are not being misused in a way that investigators are encountering them in a wide variety of cases.
puts an organization at risk Investigators within organizations can find stolen data and incriminating
• Law enforcement agents who need to communications on devices used by rogue employees. In civil and
extract information from mobile devices in
criminal cases, investigators can extract useful evidence from mobile
a wide variety of crimes
devices, can get a clearer sense of which individuals were in cahoots,
• Attorneys who need an understanding of
the types of evidence that can be extracted and can even show the location of key suspects at times of interest.
from mobile devices, the forensic process, IT auditors, managers, and lawyers all need to understand the vast
legal issues (e.g., privacy, authentication, potential of mobile device forensics.
integrity), and how the findings can be
used to build/strengthen a case By guiding you through progressively more intensive exercises with
mobile devices, we familiarize you with the inner workings of these
devices and show you the benefits and limitations of various approaches
and tools. The combination of teaching skills and knowledge will enable
you to resolve investigations. The capstone exercise at the end of this
course is designed to hone your mobile device forensics skills and help
you apply them to an actual investigation.
Laptops are required for this course. A variety of devices will be available
for you to work with during the course. You are also encouraged to
bring used mobile devices and SIM cards from home to experiment with
using the tools and techniques in this course, but this is not required.
AUTHOR STATEMENT
Mobile devices are becoming ubiquitous, delivering powerful technology into our pockets, keeping
us connected wherever we are, and creating new security risks while providing valuable sources of
evidence. Individuals store personal data on their PDAs, parents use GPS enabled devices to track their
children, hospitals use handhelds to access medical data and support patient care, and companies give
each employee a Blackberry to support their business. Corporate spies and data thieves have been
caught using their mobile devices. Organized criminal groups have been infiltrated and unraveled
through their use of mobile devices. A killer’s mobile device showed his whereabouts at the time of the
crime and inadvertently recorded the sounds of his brutal acts. Sex offenders have videotaped their
crimes using mobile devices. Many vice officers and courts consider mobile devices an integral part of
drug trafficking and dealing. Using the proper methodology and tools, you can extract useful evidence
from mobile devices and obtain records from network service providers to help avert an attack, further
32 SANS Network Security 2010
September 19 - 29, 2010 an investigation, or solve a crime. -Eoghan Casey
“This course was an informative,
hands-on, and concise class that changed
the way I look at security tools.”
-RICHARD SALMON, LOUISIANA STATE EMPLOYEE RETIREMENT SYSTEM
610
Who Should Attend Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 5:00pm
• Anyone whose job requires an 30 CPE Credits • Laptop Required • Instructor: Lenny Zeltser
understanding of key aspects
of malicious programs
Expand your capacity to fight malicious code by
• Individuals with responsibilities in
incident handling, forensic analysis, learning how to analyze bots, worms, and trojans.
Windows security, and system This popular five-day course discusses practical approaches to
administration examining Windows malware using a variety of monitoring utilities, a
• Individuals responsible for supporting disassembler, a debugger, and other tools useful for reverse-engineering
their organization’s internal security malicious software. You don’t have to be a full-time malware searcher to
needs
benefit from this course—as organizations increasingly rely on their staff
• Engineers from security product and to act as first responders during a security incident, malware analysis
service companies who are looking
skills become increasingly important.
to deepen their malware analysis
expertise By covering both behavioral and code analysis approaches, this unique
course provides a rounded approach to reverse-engineering. As a result,
the course makes malware analysis accessible even to individuals with
a limited exposure to programming concepts. The materials do not
assume that the students are familiar with reverse-engineering; however,
the difficulty level of concepts and techniques increases quickly as the
course progresses.
In the first half of the course, you will learn how to set up an inexpensive
and flexible laboratory for understanding inner-workings of malware
and demonstrate the process by exploring capabilities of real-world
specimens. You will learn to examine the program’s behavioral patterns
and assembly code and study techniques for bypassing common code
obfuscation mechanisms. The course also explores how to analyze
browser-based malware.
In the second half of the course, you will review key assembly language
concepts. You will learn to examine malicious code to understand its flow
by identifying key logic structures, looking at examples of bots, rootkits,
key loggers, and so on. You will understand how to work with PE headers
Prerequisites: and handle DLL interactions. You will also develop skills for analyzing self-
• Students should have a computer defending malware through advanced unpacking techniques and bypassing
system that matches the stated code-protection mechanisms. Finally, you will discover how to bypass
laptop requirements. Some obfuscation techniques employed by browser-based malicious scripts.
software needs to be installed
Hands-on workshop exercises are an essential aspect of this course and allow
before you come to class.
you to apply reverse-engineering techniques by examining malicious code
• Students should be familiar
in a carefully controlled environment. When performing the analysis, you will
with using Windows and Linux
operating environments and study the supplied specimen’s behavioral patterns,
be able to troubleshoot general and examine key portions of its assembly code.
connectivity and setup issues. REM course on YouTube
http://www.youtube.com/watch?v=5AFdZ0v23YA
Attention REM Course Alumni: Day five was very recently added to this course. If you’ve already Register at
attended the four-day version of the course (SEC610), you can take the whole five-day class now www.sans.org/
at a 50% discount or take just day five at one-fifth the full course price. This promotion is only network-security-2010
valid in 2010. Please contact [email protected] for details.
*This course is available to Forensics 610 participants only.
SANS Network Security 2010
September 19 - 29, 2010 35
HOSTED
COURSE
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010
Who Should Attend 9:00am - 7:00pm (Days 1-4) • 9:00am - 3:30pm (Day 5)
• Anyone who has ever tried to im- 39 CPE Credits • Laptop Required • Instructor: Scott Moulton
age a hard drive with bad blocks
only to have it fail and never be able
to get a good image of the drive The data recovery world and the forensics
• Corporate personnel who handle large world are very close in relation.
amounts of data and hard drives This course discusses topics valuable to both forensic and data
• System administrators and incident recovery professionals alike and touches on data recovery topics
handling personnel who want to relating to forensics.
understand how a hard drive actually works
and are interested in reassembling one
Our primary goal is clear: Evening Bootcamp
from the ground up To produce valid disk images and Sessions
recover the data from marginally Evening hands-on session that
• Anyone who wants to learn how to do data
allows students to utilize the
recovery on a damaged hard drive and to operative or defective media for use in knowledge gained throughout
collect best evidence data recovery or forensics. the course in an instructor-led
• Anyone who wants to learn how file The processes and methodologies environment.
systems are structured and how data is taught in this course will train you to 5:00pm - 7:00pm (Days 1-4)
stored so that they can understand where
collect an image on damaged evidence
evidence exists on any type of hard drive
where standard forensic imaging would have failed. You will
understand what kinds of problems hard drives have and what your
options are to recover the contents. Specialized data recovery trade
secrets used in these processes specifically will be discussed so we
can acquire data from damaged disks. We will perform some exciting
labs in which you will format a hard drive, put data on the drive,
disassemble the drive down to the bare metal, and then “successfully”
reassemble the drive and recover your data from it.
This course will highlight the tools that work well with corrupted file
systems, both in demonstration and in the lab exercises, and students
will learn the basics of file systems and logical recoveries. There will be
AUTHOR STATEMENT information regarding FAT, NTFS, Mac OSX HFS+ hard drive formats, EXT3,
The world of data recovery is cloaked in secrecy. Data Reiser recoveries, and what to do when there is damage, with examples of
recovery is a very difficult skill to learn and involves
each in labs. Students will also perform logical recoveries where we will
repairing damaged hard drives and recovering cor-
rupt data. Many times it is difficult just to find out use software and specialized data recovery equipment to image memory
how a particular hard drive works. As a forensics or sticks, hard drives, and image files.
data recovery community, from time to time we all If you would like five bootcamp days of training and learning trade secrets
run into damaged hard drives that are difficult to of the data recovery profession, this is the course for you. It will consist of
create an image of. At one time or another, we have
all been in that position where the software hangs
lecture and labs with mentoring on disassembly and reassembly of the
and never completes – a difficult situation to be in hard drives. Usually by the second day, the majority of students are able
when you have lawyers or clients looking over your to rebuild a hard drive and recover data from it. However, this course is
shoulder. What do you do when you have that type about process and methodologies, teaching the techniques used in data
of an error and your drive cannot be copied? The goal recovery labs so that you can understand and build on those skills.
of this class is to teach you how to handle a damaged
hard drive and what your options are. We will intro-
duce you to the proper hardware, equipment, and Hosted by
software that will give you the best possibility and
skills at completing this task. -Scott Moulton
nine years. He began his career Hands On – Part 4: Drive and Data Recovery Forensics*
with a specialty in rebuilding We will spend the first half of the day finishing up logical structures of the top three operating
hard drives for investigative systems, followed by lecture and lab on assembling RAID 0 and RAID 5 arrays. First, we will
finish up Windows and NTFS with the unusual differences between Vista and XP with regard
purposes. Since that time he has
to data recovery. During these sections, we will discuss the nature of each operating system,
handled hard drives for many touching on its basic format and file structure. Labs will include HFSExplorer, where we can
court cases that have involved see the B* Tree structure stored in the Mac OSX Catalog. We will then move on to examining
the basic functions and software available to recover Linux EXT 2/3 and Reiser. The labs for
depositions and testifying, RAID 0 and RAID 5 will include several premade images, which we will process. You’ll see what
including a murder investigation. happens when you have the settings for RAID wrong, quick and easy ways to identify the
Recently Scott worked on an FBI problems, how to find the correct settings by doing entropy by sight or sound, and correcting
the issues so you can do a successful recovery.
case where he had to completely Topics: RAID Acquisition; Reconstruction and Examination; MAC OSX Partition Corruption and Repair;
reassemble a damaged hard Host Protected Areas
414
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend Bootcamp Sessions: 5:00pm - 7:00pm (Days 1-5) • 8:00am - 9:00am (Days 2-6)
• Security professionals who are
51 CPE Credits • Instructor: Eric Conrad
interested in understanding the
concepts covered in the CISSP®
exam as determined by (ISC)2 Over the past 4 years, 98% of all respondents who
• Managers who want to under- studied our SANS® +S™ Training Program for the CISSP®
stand the critical areas of network Certification Exam and then took the exam passed, compared
security
to a national average of around 70% for other prep courses.
• System, security, and network ad-
This is an accelerated review course that assumes the student has a basic
ministrators who want to under-
stand the pragmatic applications understanding of networks and operating systems and focuses solely on the
of the CISSP® 10 Domains 10 domains of knowledge as determined by (ISC)2:
• Security professionals and man- Domain 1 - Information Security Governance &
Risk Management Obtaining your CISSP®
agers looking for practical ways certification consists of:
the 10 domains of knowledge can Domain 2 - Access Controls
be applied to the current job • Fulfilling minimum requirements
Domain 3 - Cryptography
for professional work experience
• In short, if you desire a CISSP or Domain 4 - Physical (Environmental) Security
• Completing the Candidate
your job requires it, MGT414 is the Domain 5 - Security Architecture & Design Agreement
training for you
Domain 6 - Business Continuity & Disaster Recovery Planning • Periodic audit based on submission
Domain 7 - Telecommunications & Network Security of resume
Domain 8 - Application Security • Passing the CISSP® 250 multiple-
Domain 9 - Operations Security choice question exam with a scaled
score of 700 points or greater
Domain 10 - Legal, Regulations, Compliance & Investigations
• Submitting a properly completed
Each domain of knowledge is dissected into and executed Endorsement Form
its critical components. Every component is
discussed in terms of its relationship to other components and other areas
of network security. After completion of the course, the student will have a
good working knowledge of the 10 domains of knowledge and, with proper
preparation, be ready to take and pass the CISSP® exam.
AUTHOR STATEMENT
The CISSP® certification has been around
for almost 10 years and covers security
Note: The official (ISC)2
courseware and the CISSP®
B O O T C A M P
from a 30,000 foot view. CISSP® covers a
lot of theoretical information that is criti- exam are NOT provided as
cal for a security professional to under- part of the training. This session has extended hours.
stand. However, this material can be dry, Evening Bootcamp Sessions:
and since most students do not see the 5:00pm - 7:00pm days 1 - 5.
direct applicability to their jobs, they find Morning Bootcamp Sessions:
it boring. The goal of this course is to bring 8:00am - 9:00am days 2 - 6.
the CISSP®10 domains of knowledge to
life. By explaining important topics with
stories, examples, and case studies, the
practical workings of this information can
be discovered. I challenge you to attend
the SANS CISSP® training course and find
the exciting aspects of the 10 domains of
knowledge. -Eric Cole, PhD
38 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu
SANS® +S™ Training Program for the CISSP® Certification Exam is an accelerated SANS
CISSP® review course that covers the security concepts required for the CISSP® exam and will get you up
to speed fast! This course is for students who have a basic understanding of networks and operating
systems and focuses solely on the 10 domains of knowledge as determined by (ISC)2.
512
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010
Who Should Attend 9:00am - 6:00pm (Days 1-4) • 9:00am - 4:00pm (Day 5)
• This course is designed and 33 CPE Credits • Instructor: Stephen Northcutt
taught for mid-level to C-level
managers and leaders. It will give
you the ability to better manage This completely updated course is designed to empower
IT projects in a secure manner. advancing managers who want to get up to speed fast on
• Anyone with 8570 information information security issues and terminology. You don’t just
assurance management
responsibilities
learn about security; you learn how to manage security.
• Senior executives Lecture sections are intense; the most common student comment is that it’s
• Vice presidents like drinking from a fire hose. The diligent manager will learn vital, up-to-date
• Security or assurance officers and knowledge and skills required to supervise the security component of any
managers information technology project. Additionally, the course has been engineered
• Upwardly mobile managers to incorporate the NIST Special Papers 800 guidance so that it can be
particularly useful to US government managers and supporting contractors.
40 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu
Security Leaders and Managers earn the highest salaries (well over six figures) in information
security and are near the top of IT. Needless to say, to work at that compensation level, excellence is
demanded. These days, security managers are expected to have domain expertise as well as the classic
project management, risk assessment, and policy review and development skills.
525
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Security professionals who are 36 CPE Credits • Instructor: Jeff Frisk
interested in understanding the
concepts of project management
Designed to give you the knowledge and tools you
• Managers who want to
understand the critical areas of need to become a top-notch project manager, this
making projects successful course focuses on effective communication, human
• Individuals working with time, resources, and quality management.
cost, quality, and risk sensitive
projects and applications Throughout the week, we will cover all aspects of project management
• Security professionals and from initiating and planning projects through managing cost, time, and
managers who would like to quality while your project is active to completing, closing, and documenting
utilize effective communication as your project finishes. This course follows the basic project management
techniques and proven methods
structure from the Project Management Institute’s Guide to the Project
to relate better to people
Management Body of Knowledge (PMBOK® Guide) and also offers specific
• Individuals interested in prepar-
ing for Project Management insight and techniques to help you get the job done. You will leave this course
Institute’s – Project Management with specific tools that can be utilized immediately in your work environment.
Professional (PMP®) Exam A copy of the Guide (Fourth Edition) is provided to all participants. You can
reference the PMBOK® Guide and use your course material along with the
knowledge you gain in class to solidify your preparation for the updated
Project Management Professional (PMP®) Exam and the GIAC Certified Project
Manager Exam.
The project management process is broken down into core process groups
that can be applied across multiple areas of any project. This course covers
cost, time, quality, and risk management, but not only from the point of view of
projects that create final products. Keeping in line with prevalent needs from
the InfoSec industry, we look at projects that create and maintain services and
cover in depth how cost, time, quality, and risk affect IT security and the services
AUTHOR STATEMENT we provide to others both inside and outside of our organizational boundar-
Managing projects to completion, with ies. We go into great detail covering human resource management as well as
an alert eye on quality, cost, and time, is effective communication and conflict resolution. People are the most valuable
something most of us need to do on an
resource we have on a project, and the communication and conflict resolution
ongoing basis. In this course, we break
down project management into its funda- techniques presented can be used in all areas of professional work. Above all,
mental components and work to galvanize projects fail or succeed because of the people involved. You want to make sure
your understanding of the key concepts the people involved with the development and execution of your project build
with an emphasis on practical application
a strong team and communicate effectively.
and execution. Since project managers
PMBOK® and PMP® are registered trademarks of the Project Management Institute.
spend the vast majority of their time
communicating with others, we focus on
traits and techniques that enable effective
communication. As people are the most “This course will provide
critical asset in the project management a wealth of information
process, effective and thorough communi-
to advance my career
cation is essential.
-Jeff Frisk in the IT field.”
-DOREEN LAWRENCE,
42 SANS Network Security 2010 GIAC Certification STI Masters Program
September 19 - 29, 2010 LOS ALAMOS NATIONAL LAB www.giac.org www.sans.edu
Project Management and Effective Communications for Security Professionals and
Managers will help you hone your communication skills and enable you to succeed in managing
projects where quality, cost, and time are driving factors.
401
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend 46 CPE Credits • Evening Bootcamp Sessions: 5:15pm - 7:00pm
• Security professionals who Laptop Required • Instructor: Eric Cole, PhD
want to fill the gaps in their
understanding of technical
information security Maximize your training time and turbo-charge
• Managers who want to your career in security by learning the full SANS
understand information security Security Essentials curriculum needed to qualify for
beyond simple terminology and the GSEC certification.
concepts
SANS Security Essentials is designed to give anyone interested in network
• Anyone new to information
security with some background security the skills required to be an effective player in this arena. This in-depth,
in information systems and comprehensive course provides the essential, up-to-the-minute knowledge and
networking skills required for securing systems and organizations, and equips you with the
language and theory of computer security. Learn all of this and more from the
best security instructors in the industry.
B O O T C A M P
44 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu www.sans.org/cyber-guardian
Security Essentials is our most popular training program. We strongly recommend you attend
the evening bootcamp sessions with hands-on exercises. These require the dedication to really
put in the hours, but they can help you fill in the gaps in your information security knowledge.
Everyone, except truly seasoned hands-on information security workers, can benefit from SANS
Security Essentials Bootcamp Style. A GSEC Certification can add 6-9% to your bottom line salary.
501
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Students who have taken Security 36 CPE Credits • Laptop Required • Instructor: James Tarala
Essentials and want a more
advanced 500-level course similar
to SEC401 Cyber security will continue to increase in
• People who have foundational knowledge importance as attacks become stealthier, have
covered in SEC401, do not want to take a a greater financial impact on an organization, and
specialized 500-level course, and still want cause reputational damage.
a broad advanced coverage of the core
areas to protect their systems While Security Essentials lays a solid foundation for the security
• Anyone looking for detailed technical practitioner, there is only so much that can be packed into a six-day
knowledge on how to protect against, course. SEC501 is a follow up to SEC401: SANS Security Essentials
detect, and react to the new threats (with no overlap) and continues to focus on more technical areas
that will continue to cause harm to an needed to protect an organization. The course focus is on:
organization
Prevention - configuring a system or network correctly
Detection - identifying that a breach has occurred at the system or
network level
Reaction - responding to an incident and moving to evidence
collection/forensics
Prevention is ideal, but detection is a must. We have to ensure
that we constantly improve security to prevent as many attacks
as possible. This prevention/ protection occurs externally and
internally. Attacks will continue to pose a threat to an organization
as data becomes more portable and networks continue to be porous.
Therefore a key focus needs to be on data protection – securing
AUTHOR STATEMENT
our critical information whether it resides on a server, in a robust
It is always a thrill after I finish teaching SEC401 to
see students leave with a fire in their eyes and an network architecture, or on a portable device.
excitement about them. They walked into class feeling Despite our best effort at preventing attacks and protecting critical
overwhelmed that security is a lost cause, but they
data, some attacks will still be successful. Therefore we need to be
leave class understanding what they need to do and
have a focus and drive to do the right thing to secure able to detect attacks in a timely fashion. This is accomplished by
their organizations. However the next question we understanding the traffic flowing on your networks and looking
receive on a constant basis is, what course should I take for indication of an attack. It also includes performing penetration
next? How do I continue my journey? Well, it depends testing and vulnerability analysis against an organization to identify
on what your focus area is. Do you want to get more problems and issues before a compromise occurs.
into perimeter protection, IDS, operating system
security, etc? The challenge is that many students have Finally, once an attack has been detected, we must react in a timely
positions that do not allow them to focus on one area fashion and perform forensics. By understanding how the attacker
– they need to understand all of the key areas across broke in, this can be fed back into more effective and robust
security. What students are telling us is that they want preventive and detective measures, completing the security lifecycle.
a Security Essentials part 2 or a 500-level continuation
of Security Essentials covering the next level of techni-
cal knowledge. In Security 501, SANS has decided to
give students just what they have been asking for, and “Really enjoyed all of the
I am beyond thrilled with the results. We have identi-
fied core foundation areas that complement SEC401
hands-on work. Real life scenarios
with no overlap and continue to build a solid security are always good.”
foundation for network practitioners. -Eric Cole, PhD -ERIC LUELLEN, MURRAY STATE
security audits and assists internal 501.6 Hands On: Data Loss Prevention
audit groups to develop their Cyber security is all about managing, controlling, and mitigating risk to critical
assets, which in almost every organization are composed of data or information.
programs. James completed Perimeters are still important, but we are moving away from a fortress model and
his undergraduate studies at moving towards a focus on data. This is based on the fact that information no
longer solely resides on servers where properly configured access control
Philadelphia Biblical University lists can limit access and protect our information; it can now be copied Register at
and his graduate work at the to laptops and plugged into networks. Data must be protected no www.sans.org/
matter where it resides.
University of Maryland. He also
Topics: Risk Management; Data Classification; Digital Rights Management; network-security-2010
holds numerous professional Data Loss Prevention (DLP)
certifications.
SANS Network Security 2010
September 19 - 29, 2010 47
SECURITY
502
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Information security officers 6 CPE Credits/Day • Laptop Required • Instructor: Dave Shackleford
• Intrusion analysts
• IT managers There is no single fix for securing your network.
• Network architects That’s why this course is a comprehensive analysis of a wide breadth of
technologies. This is probably the most diverse course in the SANS cata-
• Network security engineers log, as mastery of multiple security techniques are required to defend your
• Network and system administrators network from remote attacks. You cannot just focus on a single OS or security
appliance. A proper security posture comprises multiple layers. This course was
• Security managers developed to give you the knowledge and tools necessary at every layer to ensure
• Security analysts your network is secure.
• Security architects The course starts by looking at common problems: Is there traffic passing by my
firewall I didn’t expect? How did my system get compromised when no one can con-
• Security auditors nect to it from the Internet? Is there a better solution than anti-virus for controlling
malware? We’ll dig into these questions and more and answer them.
We all know how to assign an IP address, but to secure your network you really need
to understand the idiosyncrasies of the protocol. We’ll talk about how IP works and
how to spot the abnormal patterns. If you can’t hear yourself saying “Hummm, there
are no TCP options in that packet. It’s probably forged,” then you’ll gain some real
insight from this portion of the material.
Once you have an understanding of the complexities of IP, we’ll get into how to control
it on the wire. We focus on the underlying technology used by all of the projects rather
than telling you which are good and which are bad ones. A side-by-side product com-
parison is only useful for that specific moment in time. By gaining knowledge of what
goes on under the cover, you will be empowered to make good product choices for years
AUTHOR STATEMENT
to come. Just because two firewalls are stateful inspection, do they really work the same
One of the things I love seeing in my students on the wire? Is there really any difference between stateful inspection and network-
is the little light bulbs going on over their based intrusion prevention, or is it just marketing? These are the types of questions we
heads. I think a lot of people walk into the address in this portion of the course.
class thinking, “Hey I’ve been running a
We move on to a proper, wire-level assessment of a potential product, as well as what
PIX or Firewall-1 firewall for a few years – I
options and features are available. We’ll even get into how to deploy traffic control while
already know this perimeter stuff,” and they
avoiding some of the most common mistakes. Feel like your firewall is generating too
are blown away by how much they learn. A many daily entries for you to review the logs effectively? we’ll address this problem not
single line of defense was cool eight years by reducing the amount of critical data, but by streamlining and automating the back
ago. Today, attackers as well as their exploits end process of evaluating it.
are so sophisticated that a single line of
But you can’t do it all on the wire. A properly layered defense needs to include each indi-
security is no longer up to the task. In this
vidual host – not just the hosts exposed to access from the Internet, but hosts that have
class students learn about each layer that any kind of direct or indirect Internet communication capability as well. We’ll start with
can be implemented to keep the attackers OS lockdown techniques and move on to third party tools that can permit you to do any-
at bay. I’ve recently added to the course a thing from sandbox insecure applications to full-blown application policy enforcement.
ton of hands-on labs. Each technology really
Most significantly, I’ve developed this course material using the following guiding
helps to solidify the student’s comfort zone.
principles: Learn the process, not just one specific product; You learn more by doing
You learn about IDS and then immediately
so hands-on problem-solving is key; Always peel back the layers and identify the root
go hands-on with it in class. You learn about cause. While technical knowledge is important, what really matters are the skills to
vulnerability checking and again, set up properly leverage it. This is why the course is heavily
a scanner in class and start checking the focused on problem solving and root
reports. In many ways, this is probably cause analysis. While these are
the most difficult SANS class to master, as usually considered soft skills, they
the knowledge learned is so diverse. Each are vital to being an effective
technology is a required skill, however, if you role of security architect. So
are going to lock down your organization’s along with the technical training,
perimeter -Chris Brenton you’ll receive risk management
capabilities and even a bit of Zen
48 SANS Network Security 2010 GIAC Certification Cyber Guardian Program
September 19 - 29, 2010 empowerment. www.giac.org www.sans.org/cyber-guardian
Perimeter Protection In-Depth is suited for anyone wanting to become a firewall administrator
or perimeter designer. This course is also fantastic for auditors and consultants. Junior firewall
administrators earn from $35,000 to $55,000. More experienced firewall administrators can go up
to $90,000 or more. Consultants tend to earn 20 - 30% more than people with similar experience
levels working inside organizations if they can maintain a steady flow of work. Respected technical
certifications, like the GCFW and GCIA, can really help make a consultant stand out from the crowd.
503
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Mike Poor
• Intrusion detection analysts
(all levels)
• Network engineers Learn practical, hands-on intrusion
• System, security, and network detection and traffic analysis from top
administrators practitioners/authors in the field.
• Hands-on security managers This is the most advanced network intrusion detection program that
has ever been taught. All of the course material is either new or just
updated to reflect the latest attack patterns. This series is jam-packed with
network traces and analysis tips. The emphasis is on increasing students’
understanding of the workings of TCP/IP and Hex, methods of network
traffic analysis, and one specific network intrusion detection system—
Snort. This course is not a comparison or demonstration of multiple NIDS.
Instead, the knowledge/information provided here allows students to better
understand the qualities that go into a sound NIDS and the “whys” behind
them, and thus, to be better equipped to make a wise selection for their site’s
particular needs.
This is a fast-paced course and students are expected to have a basic working
knowledge of TCP/IP (see: www.sans.org/training/tcpip_quiz.php) in order to
fully understand the topics that will be discussed. Although others may benefit,
this course is most appropriate for students who are or will become intrusion
AUTHOR STATEMENT
Guy Bruneau, Mike Poor, and I have detection analysts. Students generally range from novices with some TCP/IP
worked as intrusion analysts for many background all the way to seasoned analysts. The challenging, hands-on exercises
years. Over the years, we have seen our are specially designed for all experience levels. We strongly recommend that you
fair share of attacks and suspicious traffic
often leading to intrusions. Over time, spend some time getting familiar with TCPdump, WINdump, or another network
we have developed various analysis analyzer output before coming to class.
techniques that work on new detects, and
we have learned how to pass those on to “This class heightens your security
the students. Attendees will learn how PREREQUISITE
You must possess at least a working
awareness on protecting your
TCP/IP really works from instructors who
have spent thousands of hours analyzing, knowledge of TCP/IP and Hex. network and provides excellent
See www.sans.org/training/tcpip_quiz.php examples, in detail, on how to
researching, and categorizing suspicious
to test your TCP/IP and Hex basics knowledge.
traffic with a variety of security tools. accomplish this.”
You will learn from hundreds of old and
-LAURA FREEMAN, DND
current examples of detects that were
captured in the real world and be able to
apply these real-world examples to ana-
lyze known and new intrusion patterns.
We are confident that students will put
the training they receive from this course
into practice the day they get back to the
office. -Stephen Northcutt, Guy Bruneau,
and Mike Poor
50 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu www.sans.org/cyber-guardian
Intrusion Detection In-Depth is one of our most advanced and challenging courses. People with
GCIA certifications have an advantage over other security job candidates and often land some of the
most interesting jobs in information security. Their salaries range from $50,000 to well into six figures.
504
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: John Strand
• Incident handlers
• Leaders of incident handling teams
• System administrators who are If your organization has an Internet connection or
on the front lines defending their a disgruntled employee (and whose doesn’t!), your
systems and responding to attacks computer systems will get attacked.
• Other security personnel who are
From the five, ten, or even one hundred daily probes against your Internet
first responders when systems
come under attack infrastructure to the malicious insider slowly creeping through your most
vital information assets to the spyware your otherwise wholesome users
inadvertently downloaded, attackers are targeting your systems with
increasing viciousness and stealth.
By helping you understand attackers’ tactics and strategies in detail, giving
you hands-on experience in finding vulnerabilities and discovering intrusions,
and equipping you with a comprehensive incident handling plan, the in-
depth information helps you turn the tables on computer attackers. This
course addresses the latest cutting-edge insidious attack vectors, the ‘oldie-
but-goodie’ attacks that are still so prevalent, and everything in between.
Instead of merely teaching a few hack attack tricks, this course includes a
time-tested, step-by-step process for responding to computer incidents; a
detailed description of how attackers undermine systems so you can prepare,
detect, and respond to them; and a hands-on workshop for discovering holes
before the bad guys do. This workshop also includes the unique SANS Capture-the-
Flag event on the last day where you will apply your skills developed throughout
the session to match wits with your fellow students and instructor in a fun and
AUTHOR STATEMENT engaging learning environment. You’ll get to attack the systems in our lab and
My favorite part of teaching Hacker Tech-
capture the flags to help make the lessons from the whole week more concrete.
niques, Exploits, and Incident Handling
is watching students when they finally Additionally, the course explores the legal issues associated with responding to
“get it.” It’s usually a two-stage process. computer attacks, including employee monitoring, working with law enforcement,
First, students begin to realize how truly and handling evidence.
malicious some of these attacks are. Some
This challenging course is particularly well suited to individuals who lead or are
students have a very visceral reaction, oc-
casionally shouting out “Oh, shoot!” when a part of an incident handling team. Furthermore, general security practitioners,
they see what the bad guys are really up system administrators, and security architects will benefit by understanding how to
to. But if I stopped the process at that design, build, and operate their systems to prevent, detect, and respond to attacks.
point, I’d be doing a disservice. The second
stage is even more fun. Later in the class, It is imperative that you get written permission from the proper authority in your
students gradually realize that even organization before using these tools and techniques on your company’s system and also
though the attacks are really nasty, they that you advise your network and computer operations teams of your testing.
can prevent, detect, and respond to them.
Using the knowledge they gain in this
course, they know they’ll be ready when a
bad guy launches an attack against their
systems. And being ready to thwart the
bad guys is what it’s all about.
- Ed Skoudis
52 SANS Network Security 2010 GIAC Certification DoD 8570 Required STI Masters Program Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/8570 www.sans.edu www.sans.org/cyber-guardian
Hacker Techniques, Exploits, and Incident Handling is a challenging course particularly well
suited to individuals who lead or are a part of an incident handling team or are penetration testers or
RED TEAM members. It focuses on how to detect malicious code and how to respond. High-end incident
handlers and penetration testers earn top dollars for the industry.
Certified Instructor 504.2 Hands On – Part 1: Computer and Network Hacker Exploits*
John Strand It is imperative that system administrators and security professionals know how to control
John Strand currently is the owner what outsiders can see. Students who take this class and master the material can expect
to learn the skills to identify potential targets and be provided tools they need to test their
and senior security researcher with systems effectively for vulnerabilities. This day covers the first two steps of many hacker attacks:
Black Hills Information Security, reconnaissance and scanning.
and a consultant with Argotek, Inc Topics: Reconnaissance; Scanning; Intrusion Detection System Evasion; Hands-on Exercises for a list of Tools
for TS/SCI programs. As a certified
SANS instructor he teaches: 504
504.3 Hands On – Part 2: Computer and Network Hacker Exploits*
Computer attackers are ripping our networks and systems apart in novel ways while constantly
“Hacker Techniques, Exploits and improving their techniques. This course covers the third step of many hacker attacks – gaining
Incident Handling,” 517, “Cutting access. For each attack, the course explains vulnerability categories, how various tools exploit
Edge Hacking Techniques,” and 560 holes, and how to harden systems or applications against each type of attack. Students who sign
an ethics and release form are issued a CD-ROM containing the attack tools examined in class.
“Network Penetration Testing.” He
Topics: Network-Level Attacks; Gathering and Parsing Packets; Operating System and Application-Level Attacks;
is a contributing author of Nagios 3 Netcat: The Attacker’s Best Friend; Hands-on Exercises with a list of tool Tools
Enterprise Network Monitoring, and
a regular contributor to Search-
504.4 Hands On – Part 3: Computer and Network Hacker Exploits*
Attackers aren’t resting on their laurels, and neither can we. They are increasingly targeting
Security’s “Ask the Expert” series
our operating systems and applications with ever-more clever and vicious attacks. This session
on the latest information security looks at increasingly popular attack avenues as well as the plague of denial of service attacks.
threats. He also regularly posts Topics: Password Cracking; Web Application Attacks; Denial of Service Attacks; Hands-on Exercises with a list of tools
videos demonstrating the latest
computer attacks and defenses
504.5 Hands On – Part 4: Computer and Network Hacker Exploits*
Once intruders have gained access into a system, they want to keep that access by preventing pesky
at vimeo.com/album/26207. He
system administrators and security personnel from detecting their presence. To defend against
started the practice of computer these attacks, you need to understand how attackers manipulate systems to discover the some-
security with Accenture Consulting times-subtle hints associated with system compromise. This course arms you with the understand-
ing and tools you need to defend against attackers maintaining access and covering their tracks.
in the areas of intrusion detection,
Topics: Maintaining Access; Covering the Courses; Five Methods for Implementing Kernel-Mode RootKits on
incident response, and vulnerability Windows and Linux; the Rise of Combo Malware; Detecting Backdoors; Hidden File Detection; Log Editing;
Covert Channels; Sample Scenarios
assessment/penetration testing.
John then moved on to Northrop 504.6 Hands On: Hacker Tools Workshop *
Grumman specializing in DCID 6/3 In this workshop you’ll apply skills gained throughout the week in penetrating various
PL3-PL5 (multi-level security solu- target hosts while playing Capture the Flag. Your instructor will act as your personal
tions), security architectures, and hacking coach, providing hints as you progress through the game and challenging
you to break into the laboratory computers to help underscore the lessons
program certification and accredita-
learned throughout the week. For your own attacker laptop, do not have
tion. He has a master’s degree from any sensitive data stored on the system. SANS is not responsible for your
Denver University and is currently system if someone in the class attacks it in the workshop. Bring the right
equipment and prepare it in advance to maximize what you’ll learn and
Register at
also a professor at Denver Univer- www.sans.org/
the fun you’ll have doing it.
sity. In his spare time he writes loud Topics: Capture the Flag Contest; Hands-on Analysis; General Exploits; network-security-2010
rock music and makes various futile Other Attack Tools and Techniques
505
Who Should Attend Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
• Windows network security 6 CPE Credits/Day • Laptop Required • Instructor: Jason Fossen
engineers and architects
• Windows administrators with Will you be transitioning from Windows XP to
security duties
Windows 7?
• Anyone with Windows machines who
The Securing Windows course is fully updated for Windows Server
wants to implement the SANS 20
Critical Security Controls 2008-R2 and Windows 7. Most of the content applies to Windows
Server 2003 and XP too, but the focus is on 2008/Vista/7.
• Active Directory designers and
administrators Concerned about the 20 Critical Security Controls of the Consensus Audit
Guidelines? This course will help you implement the Critical Controls rel-
• Those who must enforce security
evant to Windows systems, not just audit them, and will walk you through
policies on Windows hosts
most of the tools step-by-step, too.
• Those deploying or managing a PKI or
As a Windows security expert, how can you stand out from the crowd and
smart cards
offer management more than the usual apply-this-checklist advice? Be
• IIS administrators and Web masters a security architect who understands the big picture. You can save your
with Web servers at risk organization money, maintain compliance with regulations, secure your
• Administrators who use the command networks, and advance your career all at the same time. How? By leverag-
line or scripting to automate their ing the Windows infrastructure you’ve already paid for.
duties and must learn PowerShell (the
This program is a comprehensive set of courses for Windows security ar-
replacement for CMD scripting and
chitects and administrators. It tackles tough problems like Active Directory
VBScript)
forest design, how to use Group Policy to lock down desktops, deploying
a Microsoft PKI and smart cards, pushing firewall and IPSec policies out to
every computer in the domain, securing public IIS Web servers, and Power-
Shell scripting.
PowerShell is the future of Windows scripting and automation. Easier to
learn and more powerful than VBScript, PowerShell is an essential tool for
automation and scalable management. If there is a one skill that will most
benefit the career of a Windows specialist, it’s scripting. Most of your compe-
tition lack scripting skills, so it’s a great way to make your resume stand out.
AUTHOR STATEMENT Scripting skills are also essential for being able to implement the 20 Critical
I’ve happily been with SANS for over a decade, Security Controls.
and the courses I write are always guided by You are encouraged to bring a virtual machine running Windows Server 2008
two questions: 1) What do administrators need Enterprise Edition configured as a domain controller, but this is not a require-
to know to secure their networks? and 2) What ment for attendance since the instructor will demo everything discussed on-
should administrators learn to advance their screen. You can get a free evaluation version of Server 2008 from Microsoft’s
careers as IT professionals? I’m not a Microsoft
Web site (just do a Google search on “site:microsoft.com Server 2008 trial”).
employee or a Microsoft-basher, so you won’t
You can use VMware, Virtual PC or any other virtual machine software.
get either kind of propaganda here; my concern
is with the health of your network and your This is a fun and fascinating course, a real eye-opener even for Windows admin-
career. As a security consultant I’ve seen it istrators with years of experience. Come see why there’s a lot more to Windows
all (good, bad, and ugly) and my experience security than just apply-
goes into the manuals I write for SANS and the ing patches and changing
stories I tell in seminar. The Securing Windows passwords; come see why a
course is packed with interesting and useful ad- Windows network needs a
vice which isn’t so easy to find on the Internet. security architect.
We always have a good time, so I hope to meet
you at the next conference! -Jason Fossen
professional certifications. He
currently lives in Dallas, Texas.
505.5 Securing IIS 7.0
The demand for IIS security personnel is great because IIS is so widely deployed. This day focuses on IIS
Jason blogs about Windows
7.0 in Windows Server 2008, but many of the principles discussed will apply to IIS 6.0 as well. You won’t
Security Issues on the SANS be left out if you’re still running IIS 6.0. If you’re new to IIS 7.0, this course will get you up to speed.
Windows Security Blog. Topics: Server Hardening; XML Configuration System; IIS Authentication and Authorization; Web-Based Applications;
Logging and Auditing; FTP Over SSL (FTPS)
https://blogs.sans.org/windows
505.6 Windows PowerShell
To attend the course, you don’t have to bring a laptop, but if you do, get the latest version of
“The course introduced PowerShell from Microsoft (www.microsoft.com/powershell). A CD-ROM will be handed out
a wide range of by the instructor with sample scripts and other files with which to experiment. During
the course, we will walk through all the essentials of PowerShell together. The course
technologies and issues I presumes nothing, you don’t have to have any prior scripting experience to attend.
was completely unaware And, most importantly, be prepared to have fun: PowerShell is just plain
of- great exposure to new cooooooool.
Topics: What is PowerShell?; Cmdlets; Running Scripts; Namespace Providers; Piping Objects; Register at
ideas. Jason’s depth of Parameter Binding; Regular Expressions; Functions and Filters; The .NET Class
Library; Using Properties and Methods at the Command Line; Accessing COM www.sans.org/
knowledge and examples Objects: WMI, ADSI, ADO, etc.; Security and Execution Policy; And lots and lots
of sample scripts to walk through... network-security-2010
are of great value.”
-JEFF RUFF, AASKI TECHNOLOGIES
SANS Network Security 2010
September 19 - 29, 2010 55
SECURITY
Sampling of Topics
• Memory Attacks, Buffer Overflows • Server “lockdown” for Linux and Unix
• File System Attacks, Race Conditions • Controlling root access with sudo
• Trojan Horse Programs and Rootkits • SELinux and chroot() for application security
• Monitoring and Alerting Tools • DNSSEC deployment and automation
• Unix Logging and Kernel-Level Auditing • mod_security and Web Application Firewalls
• Building a centralized logging infrastructure • Secure Configuration of BIND, Sendmail, Apache
AUTHOR STATEMENT • Network Security Tools • Forensic Investigation
A wise man once said, “How are you going • SSH for Secure Administration
to learn anything if you know everything
already?” And yet there seems to be a quiet
arrogance in the Unix community that we’ve PREREQUISITE
figured out all of our security problems, as if to Students must possess at least a working knowledge of Unix.
say, “Been there, done that.” All I can say is that Most students who attend the track have a minimum of 3-5 years
what keeps me going in the Unix field, and the of Unix System Administration experience.
security industry in particular, is that there is
always something new to learn, discover, or in-
vent. In fifteen plus years on the job, what I’ve
learned is how much more there is that I can
learn. I think this is also true for the students
in my courses. I regularly get comments back
from students that say things like, “I’ve been
using Unix for 20 years and I still learned a lot
in this class.” That’s really rewarding.
- Hal Pomeranz
542
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Kevin Johnson
• General security practitioners
• Web site designers and architects Assess Your Web Apps In Depth.
• Developers Web applications are a major point of vulnerability in organizations
today. Web app holes have resulted in the theft of millions of credit cards,
major financial and reputational damage for hundreds of enterprises, and even
the compromise of thousands of browsing machines that visited Web sites
altered by attackers. In this intermediate- to advanced-level class you’ll learn
the art of exploiting Web applications so you can find flaws in your enterprise’s
Web apps before the bad guys do. Through detailed, hands-on exercises and
training from a seasoned professional, you will be taught the four-step process
for Web application penetration testing. You will inject SQL into back-end
databases, learning how attackers exfiltrate sensitive data. You will utilize
Cross-Site Scripting attacks to dominate a target infrastructure in our unique
hands-on laboratory environment. And, you will explore various other Web app
vulnerabilities, in depth, with tried-and-true techniques to finding them, using a
structured testing regimen. You will learn the tools and methods of the attacker,
so that you can be a powerful defender.
On day one, we will study the attacker’s view of the Web, We will learn an
attack methodology and how the pen-tester uses JavaScript within the test.
On day two, we will study the art of reconnaissance, specifically targeted to Web
applications. We will also examine the mapping phase as we interact with a real
application to determine its internal structure. During day three, we will continue
our test by starting the discovery phase using the information we gathered on day
AUTHOR STATEMENT
Testing the security of Web two. We will focus on application/server-side discovery. On day four, we will continue
applications is not as simple as just discovery, focusing on client-side portions of the application, such as Flash objects
knowing what SQL injection and and Java applets. On day five, we will move into the final stage of exploitation.
cross-site scripting mean. Successful
Students will use advanced exploitation methods to gain further access within the
testers understand that methodical,
thorough testing is the best means application. Day six will be a Capture the Flag event where the students will be able
of finding the vulnerabilities within to use the methodology and techniques explored during class to find and exploit the
the applications. This requires a vulnerabilities within an intranet site.
deep understanding of how Web
applications work and what attack Throughout the class, you will learn the context behind the attacks so that you intui-
vectors are available. This course tively understand the real-life applications of our exploitation. In the end, you will
provides that understanding by be able to assess your own organization’s Web applications to find some of the most
examining the various parts of a
Web application penetration. When common and damaging Web application vulnerabilities today.
teaching the class, I especially enjoy
the use of real-world exercises and
the in-depth exploration of Web “This course was a huge
penetration testing.” eye opener for me. I will be
-Kevin Johnson
handling my future pen tests a lot
differently from now on.”
60 SANS Network Security 2010 GIAC Certification Cyber Guardian Program
September 19 - 29, 2010 -CARL SKILES AMERINET www.giac.org www.sans.org/cyber-guardian
“This is the first course I have taken where I was completely
unaware of time – very engaging. Kevin is very knowledgeable
and an excellent representative of the SANS Institute.”
-SCOTT ASHTON, POLICE & FIRE FCU
560
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Ed Skoudis
• Penetration testers
• Ethical hackers
• Auditors who need to build Find Security Flaws Before the Bad Guys Do.
deeper technical skills Security vulnerabilities, such as weak configurations, unpatched systems,
• Security personnel whose and botched architectures, continue to plague organizations. Enterprises
job involves assessing target need people who can find these flaws in a professional manner to help eradicate
networks and systems to find
security vulnerabilities them from our infrastructures. Lots of people claim to have penetration testing,
ethical hacking, and security assessment skills, but precious few can apply these
skills in a methodical regimen of professional testing to help make an organiza-
tion more secure. This class covers the ingredients for successful network pen-
etration testing to help attendees improve their enterprise’s security stance.
We address detailed pre-test planning, including
IMPORTANT NOTE:
setting up an effective penetration testing
SEC560 is one of the most techni-
infrastructure and establishing ground rules with cally rigorous courses offered by
the target organization to avoid surprises and SANS. Attendees are expected
misunderstanding. Then we discuss a time-tested to have a working knowledge of
TCP/IP; cryptographic routines,
methodology for penetration and ethical hacking
such as DES, AES, and MD5;
across the network, evaluating the security of and the Windows and Linux
network services and the operating systems command lines before they step
behind them. into class. Although SEC401 and
SEC504 are not prerequisites
Attendees will learn how to perform detailed for SEC560, these courses cover
reconnaissance, learning about a target’s infrastructure the groundwork that all SEC560
by mining blogs, search engines, and social networking attendees are expected to
know. This course is technically
sites. We’ll then turn our attention to scanning, in-depth and programming
AUTHOR STATEMENT experimenting with numerous tools in hands-on knowledge is NOT required.
Successful penetration testers don’t exercises. Our exploitation phase will include the use
just throw a bunch of hacks against of exploitation frameworks, stand-alone exploits, and other valuable tactics, all with
an organization and regurgitate hands-on exercises in our lab environment. The class also discusses how to prepare a
the output of their tools. Instead, final report tailored to maximize the value of the test from both a management and
they need to understand how these
technical perspective. The final portion of the class includes a comprehensive hands-
tools work in depth and conduct
their test in a careful, professional on exercise in which students will conduct a penetration test against a hypothetical
manner. This course explains the target organization following all of the steps.
inner workings of numerous tools The course also describes the limitations of penetration testing techniques and
and their use in effective network
other practices that can be used to augment penetration testing
penetration testing and ethical
hacking projects. When teaching
to find vulnerabilities in architecture,
the class, I particularly enjoy the policies, and processes. We
hands-on exercises that culminate in address how penetration testing
a final pen-testing extravaganza lab. should be integrated as a piece
-Ed Skoudis of a comprehensive enterprise
information security program.
62 SANS Network Security 2010 GIAC Certification Cyber Guardian Program
September 19 - 29, 2010 www.giac.org www.sans.org/cyber-guardian
“This course offers a great overview of the methodology and
issues to consider when planning a penetration test.”
-GREG SUTHERLAND, MCKEE FOODS CORP
617
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend
36 CPE Credits • Laptop Required • Instructor: Joshua Wright
• Ethical Hackers and Penetration Testers
• Network Security Staff
• Network and System Administrators Despite the security concerns many of us share
• Incident Response Teams regarding wireless technology, it is here to stay.
• Information Security Policy Decision Makers In fact, not only is wireless here to stay, but it is growing in deployment
and utilization, not only with wireless LAN technology and WiFi, but
• Technical Auditors
also for other applications including cordless telephones, smart homes,
• Information Security Consultants embedded devices, and more. Technology such as ZigBee and WiMAX offer
• Wireless System Engineers new methods of connectivity to devices, while other wireless technology
including WiFi, Bluetooth, and DECT continue their massive growth rate, each
• Embedded Wireless System Developers
introducing their own set of security challenges and attacker opportunities.
To be a wireless security expert, you need to have a comprehensive
understanding of the technology, the threats, the exploits, and the defense
techniques along with hands-on experience in evaluating and attacking
wireless technology. Not limiting your skill-set to WiFi, you’ll need to evaluate
the threat from other standards-based and proprietary wireless technologies
as well. This course takes an in-depth look at the security challenges of many
different wireless technologies, exposing you to wireless security threats
through the eyes of an attacker. Using readily available and custom-developed
tools, you’ll navigate your way through the techniques attackers use to exploit
WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other
AUTHOR STATEMENT systems, including developing attack techniques leveraging Windows 7 and
It’s been amazing to watch the progression of wireless Mac OS X. We’ll also examine the commonly overlooked threats associated with
Bluetooth, ZigBee, DECT, and proprietary wireless systems. As part of the course,
technology over the past several years. WiFi has grown in
you’ll receive the SWAT Toolkit, which will be used in hands-on labs to back up
maturity and offers strong authentication and encryption
the course content and reinforce wireless ethical hacking techniques.
options to protect networks, and many organizations have
Using assessment and analysis techniques, this The SWAT Toolkit consists of:
migrated to this technology. At the same time, attackers are
course will show you how to identify the threats • USB Global Positioning System
becoming more sophisticated, and we’ve seen significant
that expose wireless technology and build (GPS) adapter
system breaches netting millions of payment cards that
on this knowledge to implement defensive • All software and tools used in lab
start with a wireless exploit. This pattern has me very techniques that can be used to protect wireless exercises based on Backtrack 4
concerned, as many organizations, even after deploying systems.
WPA2 and related technology, remain vulnerable to a In terms of technical content, this course ranks up at the top for in-depth,
number of attacks that expose their systems and internal comprehensive information about wireless security. However, you don’t need to
networks. In putting this class together, I wanted to help be an expert in wireless technology to succeed in this course. To help students
organizations recognize the multi-faceted wireless threat consume the course content, I’ve written extensive notes for every topic,
landscape and evaluate their exposure through ethical complete with review question and answer sections and recommendations for
hacking techniques. Moreover, I wanted my students to additional reading if you want to dig deeper. Many students comment that their
learn critical security analysis skills so that, while we focus favorite part about the course is the hands-on time, which makes up a significant
on evaluating wireless systems, the vulnerabilities and part of the course. Classroom labs are written such that even if you have never
attacks we leverage to exploit these systems can be applied used wireless technology or a Linux system before, you’ll be able to complete
to future technologies as well. In this manner, the skills all exercises, and reproduce your results against your own networks when you
return to the office. Combined with the excellent
you build in this class remain valuable for today’s wireless
SANS instructors, everyone
technology, tomorrow’s technology advancements, and for
can take this class and
other complex systems you have to evaluate in the future as gain useful and valuable
well. If you have questions or comments about this course, I skills for attacking and
would be very happy to hear from you. Please e-mail me at defending wireless
[email protected]. -Joshua Wright networks.
improving the security of modern 617.5 Hands On – Part 4: Wireless Security Exposed*
networks. In his spare time, Josh Advanced wireless testing and vulnerability discovery systems will be covered including 802.11
fuzzing techniques. A look at other wireless technology including proprietary systems, cellular
looks for any opportunity to void technology, and an in-depth coverage of Bluetooth risks will demonstrate the risks associated with
the warranty on wireless electronics. other forms of wireless systems and the impact to organizations.
Topics: Wireless Fuzzing Tools and Techniques; Vulnerability Disclosure Strategies; Discovering Unencrypted Video
Wright maintains a popular blog at Transmitters; Assessing Proprietary Wireless Devices; Traffic Sniffing in GSM Networks; Attacking SMS
Messages and Cellular Calls; Bluetooth Authentication and Pairing Exchange; Attacking Bluetooth Devices;
http://legal-beagle.typepad.com. Sniffing Bluetooth Networks; Eavesdropping on Bluetooth Headsets
-CURTIS WISEMAN, AMBIR SOLUTIONS *This course is available to Security 617 participants only.
SANS Network Security 2010
September 19 - 29, 2010 65
SECURITY
709
Six-Day Program • Mon, Sept 20 - Sat, Sept 25, 2010 • 9:00am - 5:00pm
Who Should Attend 39 CPE Credits • Evening Bootcamp Sessions: 5:00pm - 7:00pm (Days 2-4)
• Incident handlers looking to take Laptop Required • Instructor: Stephen Sims
the next step in understanding
exploitation in its most technical form
Zero-day vulnerabilities are being
• Network and system security
professionals looking to understand discovered more frequently, and malicious
the methods used to write exploit computer attackers are constantly trying to
code and discover vulnerabilities
exploit them.
• Programmers and code review
engineers looking to understand the But when a new flaw is discovered, it is often difficult to determine
threat of exploitation and how to whether it is truly exploitable, making an analysis of business risk difficult,
write Proof of Concept (POC) code to if not impossible. Things get even murkier when the flaw is discovered
demonstrate exploitation techniques
in home-grown applications supporting an enterprise. Yet until now,
• Certification-holders looking to only a small, self-selected, high-tech “priesthood” of security researchers
improve and put their practical
have had the skills to determine whether a given flaw can lead directly to
knowledge to the test
exploitation.
• Anyone looking to build credibility
and take a technical course on Do you want to join the skilled security “Provides an interactive
advanced hacking techniques researcher elite and stop relying avenue for learning new
on others to find your application’s
material and building
vulnerabilities and start writing your
own Proof of Concept (POC) code? Do lasting relationships.”
you want the skills to be part of the -JASON COLEMAN, LRN CORP.
security researcher “priesthood”?
In this course we bridge the gaps and take a step-by-step look at Linux
and Windows operating systems and how exploitation truly works under
the hood. This five-day course rapidly progresses through exploitation
techniques used to attack stacks, heaps, and other memory segments on
Linux and Windows. This is a fast-paced course that provides you with the
skills to hit the ground running with vulnerability research. We end the course
with a Capture the Flag (CTF) exercise requiring you to discover and exploit
vulnerabilities on remote systems.
AUTHOR STATEMENT
As a perpetual student of information security, Attendees can apply the skills developed in this class to create and customize
I am excited to offer this course documenting exploits for penetration tests of homegrown software applications and newly
the steps I took when diving head first into discovered flaws in widespread commercial software. Understanding the
exploitation and writing Proof of Concept process of exploit development can help enterprises analyze their actual
(POC) code. In all of my years focusing on these
business risks better than the ambiguous hypotheticals we often contend with
topics, I found many holes and unanswered
questions. With this course I aim to bridge in most traditional vulnerability assessments.
the gap between the daily practice of security This course is not for the faint of heart or those
engineering and the advanced world of security with modest skills. It provides leading-edge
research and hacking. Attackers are always one
skills for the best technical security professionals,
step ahead and are relying on our tendency to
become complacent with controls we work so security researchers, and pen testers. If you
hard to deploy. If you find this topic as fascinat- are able to absorb it, the knowledge gained
ing as I do, I look forward to seeing you soon! throughout the course will help you write
- Stephen Sims custom exploits to gain privileged system access
and determine the real risk to your business.
66 SANS Network Security 2010 Precompiled exploits won’t help you here! Cyber Guardian Program
September 19 - 29, 2010 www.sans.org/cyber-guardian
709.1 Fuzzing for Bug Discovery*
Day one is a hands-on fuzzing day where we’ll examine the methods, techniques and tools behind
the use of fuzzing for vulnerability analysis. Credited for identifying numerous vulnerabilities in software
ranging from Cisco routers to the Windows RPC service, fuzzing is an important component of software
testing. We’ll quickly introduce the operational aspects of fuzzing and focus the day on how you can
leverage these techniques in your organization as a penetration tester, developer, QA engineer or
information security engineer, complete with case-studies of fuzzing success stories. This is followed by
the use of fuzzing tools and custom frameworks to test any service or file format for flaws, including several
hands-on exercises against live systems.
Topics: Establishing a Target Environment; Monitoring and Fault Identification Techniques; Designing Fuzzing Test Cases;
Quick-Start with Mutation-Based Fuzzing; Targeting Protocol Behavior for Improved Results; Building a Custom
Fuzzer Using the Sulley Framework; Leveraging Sulley for Post-Mortem Analysis; File Format Fuzzing
Stephen Sims is an information 709.3 Advanced Linux Exploitation and Introduction to Windows*
security consultant currently Beginning with understanding format strings and their purpose, we then progress to discovering format
working for Wells Fargo in string vulnerabilities and what types of attacks can be performed. This is followed by a format string
exercise with the goal of taking control of a process. The next section focuses on heap exploitation
San Francisco, California. He followed by writing your own shellcode, including an exercise of writing shellcode to spawn a shell
has spent the past eight years on Linux systems. We then change our focus from Linux over to Windows and take a tour of symbol
resolution from a Windows perspective. We’ll take a look at the assembly syntax and basic process
in San Francisco working for debugging. This is followed by analyzing the method in which the Windows OS manages memory in
several large financial institu- various segments and many of the protections added from XP to Vista.
Topics: Abusing the Unlink() Macro on the Linux OS; Overwriting C and C++ Function Pointers; Identifying Format String
tions on network and systems Vulnerabilities; Taking Control of a Process Via a Format String Exploit; Understanding Shellcode; Writing Efficient
security, penetration testing, Shellcode by Removing Null Bytes and Register Optimization; Understanding Symbol Resolution with the PE/
COFF Object File Format; Understanding the Difference Between Intel and AT&T x86 Assembly Format; Basic
exploitation development, Debugging with Ollydbg; Understanding Modern OS and Memory Protections on Windows
and risk assessment and 709.4 Windows Stack and Heap Exploitation*
management. Prior to San On day four we start off by discovering a remote vulnerability on a Windows system through fuzzing.
Francisco, Stephen worked Once the vulnerability is discovered, you’ll use a debugger to find the exact location of the vulnerability
and learn how to take control of the process. We then add in and bypass protections added to Windows
in the Baltimore/DC area as a XP SP2&3 and Vista. We will look at Windows heap exploitation, including methods to abuse the Process
network security engineer for Environment Block (PEB) and other constructs to gain control of a process. We move from there into
browser-based exploitation and how to increase the chances of exploitation through heap spraying. The
companies such as General day ends with looking at Windows shellcode and how it differs from Linux.
Motors and Sylvan Prometric. Topics: Using a Debugger to Analyze a Program; Basic Fuzzing to Discover Vulnerabilities; Abusing the Windows Stack
Implementation; Abusing Structured Exception Handling (SEH) to Gain Control of a Program; Abusing the
He is one of only a handful of SafeSEH and DEP Controls Added to Windows XP SP2/3; Defeating Hardware Enforced DEP; Exploiting the
Process Environment Block (PEB) to Gain Program Control; Analyzing a Browser-based Vulnerability and Use Heap
individuals who holds the GIAC Spraying to Increase Success; Understanding Windows Shellcode and DLL Resolution
Security Expert (GSE) Certifica-
tion and also helps to author
709.5 Client-Side Exploitation and Patch Reversing*
Day five is an advanced day on Microsoft patch reversal and client-side exploitation. It is well known that
and maintain the current attackers download Microsoft patches as soon as they are available on “Patch Tuesday” of each month.
version of the exam. He is a Other vendors experience the same problem. The attacker’s goal is to reverse engineer the patches to
locate the code changes, making it possible to quickly identify the vulnerability. Exploit code is often
SANS certified instructor and generated within days, or even hours after discovery. Day five walks through the techniques used
the course author of SANS’ to perform reversing and binary diffing. Once the vulnerability is located, you will walk through
debugging and exploit generation of a client-side attack.
first and only 700-level course,
Topics: Using IDA Pro to Reverse Engineer Microsoft Patches; Using the BinDiff Tool to Identify Code
SEC709: Developing Exploits Changes; Improve Microsoft Stack and Heap Exploitation Skills; Vulnerability Discovery in Less
Obvious Places; Understand and Develop Client-Side Exploits
for Penetration Testers and
Security Researchers. Stephen 709.6 Capture the Flag*
Day six is a full day of Capture the Flag (CTF) exercises. There will be various types of Register at
also holds the CISSP, CISA, and
vulnerabilities to discover and exploit with the goal of capturing flags. Utilizing all www.sans.org/
Network Offense Professional of the knowledge gained throughout the course, you will work independently network-security-2010
(NOP) certifications, amongst or as a team to polish your skills and capture the most flags.
others. *This course is available to Security 709 participants only. SANS Network Security 2010
September 19 - 29, 2010 67
Hosted
Five-Day Program • Mon, Sept 20 - Fri, Sept 24, 2010 • 9:00am - 6:00pm
Who Should Attend 35 CPE Credits • Laptop Required • Instructor: Manu Paul
• Software architects
• Software engineers/designers
• Software development It’s no secret that security is not being addressed from a
managers holistic perspective throughout the software lifecycle.
• Requirements analysts
Some 70% of all security breaches are application related, equating to more
• Project managers than 226 million records being disclosed and fines reaching astronomical amounts.
• Business and IT managers Together we have a solution that establishes industry standards and instills best
• Auditors practices in the software lifecycle (SLC).
• Developers and coders The (ISC)2 five-day CSSLP® CBK Education Program is the exclusive way to learn
• Security specialists security best practices and industry standards for the software lifecycle – critical
• Auditors and quality information to a CSSLP. This is where you will learn tools and processes on how
assurance managers security should be built into each phase of the software lifecycle. It will also detail
• Application owners security measures that need to take place beginning with the requirement phase,
through software design, all the way through software testing, and ultimately
disposal. This will ensure you’re properly prepared to take on the constantly evolving
vulnerabilities exposed in software development. Each software stakeholder is
responsible for certain phase(s) of the SLC, but all phases must have security built
into them. CSSLP is for all the stakeholders involved in the process. Each of the
seven CSSLP Domains (www.isc2.org/csslp-certification.aspx) covers how to build
security into the different phases.
The comprehensive (ISC)2 CSSLP CBK Education
“The course contains
program covers the following domains:
pertinent information
• Secure Software Concepts - security implications in
software development that I can immediately
• Secure Software Requirements - capturing security requirements use at work.”
in the requirements gathering phase -DAVID TATUM, FISERV, INC.
• Secure Software Design - translating security requirements into application
Download a brochure design elements CSSLP Man
to learn more about the • Secure Software Implementation/Coding - unit testing for security functionality
CSSLP. and resiliency to attack, and developing secure code and exploit mitigation
http://www.isc2.org/up- • Secure Software Testing - integrated QA testing for security functionality and
loadedFiles/Landing_Pages/ resiliency to attack
with_form/CSSLP%20Prof% • Software Acceptance - security implication in the software acceptance phase
20Web.pdf
• Software Deployment, Operations, Maintenance, and Disposal - security issues
Please note that the price around steady state operations and management of software
of tuition does NOT include
the CSSLP exam. Host: (ISC)2 CSSLP
http://www.isc2.org/ (ISC)2® is the globally recognized Gold Standard for certifying information
uploadedFiles/Certification_ security professionals. Founded in 1989, (ISC)2® has certified nearly 60,000
Programs/exam_pricing.pdf information security professionals in 135 countries. (ISC)2® issues the
Certified Information Systems Security Professional (CISSP®) and related
concentrations, Certification and Accreditation Professional (CAP®),
and Systems Security Certified Practitioner (SSCP®) credentials to those
68 SANS Network Security 2010
September 19 - 29, 2010 meeting necessary competency requirements. http://www.isc2.org Manu Paul
Future SANS Training Events
SANS Rocky Mountain 2010
July 12-17, 2010
www.sans.org/rocky-mountain-2010
Denver MGT414 • MGT512 • SEC401 • SEC503 • SEC560 • SEC566 • FOR408 • And More
Las Vegas SEC503 • SEC504 • SEC505 • SEC506 • SEC509 • SEC542 • SEC557 • SEC560
SEC617 • SEC709 • FOR408 • FOR508 • FOR558 • FOR563 • FOR610 • And More
Dates,locations, and courses offered are subject to change. For up-to-date information, visit www.sans.org.
SANS Network Security 2010
September 19 - 29, 2010 69
SANS Network Security 2010
will be located at
Caesars Palace
43570 Las Vegas Blvd. • Las Vegas, NV 89109
Web site: http://www.caesarspalace.com
Reservations: 1-800-634-6661
SPECIAL RATES
A special discount rate of $192 S/D will be honored based on space
availability. Government per diem rooms are available with proper ID;
You will need to call reservations and ask for the SANS government rate.
These rates includes high speed Internet in your room.
Make your reservations now as this special rate is only available
through Wednesday, September 1, 2010.
NOTE: You must mention that you are attending the SANS Institute
training event to get the discounted rate.
The resort will require a major credit card to guarantee your reservation. To cancel your reservation,
you must notify the resort at least 72 hours before your planned arrival date.
Welcome to the most prestigious resort in the world. From the shops of world-re-
Amtrak offers
nowned designers like Valentino and Louis Vuitton to the celebrity clientele at PURE
a 10% discount nightclub, you’ll discover legendary shopping and nightlife at Caesars Palace, plus a
off the lowest available rail world of luxury at our extraordinary swimming pools and spa.
fare to Las Vegas, NV. Please check the
Caesars Palace wants to lavish you with all the amenities that will make your stay
Web site for new code. with us one you’ll always remember. Discover indulgence beyond expectation at
www.sans.org/network-security-2010/ Qua Baths & Spa, featuring never before seen amenities like Roman baths, a dry-heat
location.php Laconium room and a stunning, snow-filled Arctic Ice room. Caesars Palace is also
To book your reservation call Amtrak at the home of celebrity stylist Michael Boychuck, “colorist to the stars.” Every salon in
1 (800) 872-7245 or contact your local travel agent. town he’s touched has become a must-visit destination, and now Color, a Salon by
Conventions cannot be booked via Internet. This Michael Boychuck is exclusively at Caesars Palace.
offer is not valid on Auto Train or Acela service. At the Garden of the Gods Pool Oasis, graceful fountains and classically inspired
Offer valid with Sleepers, Business Class, or First statuary surround three large swimming pools and two outdoor whirlpool spas so
Class seats with payment of the full applicable you can relax with friends around sparkling waters.
accommodation charges. Fare is valid on After exploring all that our spa, salon, and pools have to offer, you can shop at more
Metroliner service for all departures seven days a than 120 stores in two elegant settings. The names on the storefronts are legend-
week, except for holiday blackouts. ary, and the merchandise inside is the best the world has to offer. From Cartier and
Roberto Cavalli to Salvatore Ferragamo, you can browse through the world’s finest
AVIS is proud to offer special rates for stores at the Forum Shops and Appian Way.
SANS Network Security 2010. Make your
Then, cap off your night at PURE, our remarkable club that sets new standards for
reservations now and don’t forget to use Las Vegas nightlife. Owned in part by Celine Dion, Shaquille O’Neal, Andre Agassi
your special discount code: J945620. and Steffi Graf, PURE is three stylish venues in one, including a VIP room, a dance
www.avis.com floor with progressive DJs and a large outdoor patio with cascading waterfalls, walls
of fire and breathtaking views of the surrounding Strip.
Weather Conditions Top 5 reasons to stay at Caesars Palace
September in Las Vegas is pleasant with 1 All SANS attendees receive complimentary high-speed Internet when booking in the SANS Block.
highs around 95° and lows near 66°. For 2 No need to factor in daily cab fees and the time associated with travel to alternate hotels.
the latest weather conditions and forecast, 3 By staying at Caesars Palace, you gain the opportunity to further network with your industry peers
please consult www.weather.com. and remain in the center of the activity surrounding the conference.
4 SANS schedules morning and evening events at Caesars Palace that you won’t want to miss!
70 SANS Network Security 2010
September 19 - 29, 2010 5 Everything is in one convenient location!
Dear Colleagues and Friends, Five Reasons to Register
SANS Network Security 2010 is back in Las Vegas with more 1. The best career move you will
courses, night sessions, and special events than ever before! With ever make!
SANS stationed in the middle of the world-famous Vegas strip, That’s how one SANS alumnus described the IT secu-
you will find world-famous attractions, shows, restaurants, and rity education and networking opportunities offered
shopping all within walking distance. This city has so much more by SANS. Attending SANS Network Security 2010 is a
to offer than just gambling – come see for yourself! way of investing in your career. To reap the maxi-
mum benefit, read the course descriptions carefully.
The training event will be held at Caesars Palace
Check out the five- and six-day courses plus a wide
(www.caesarspalace.com), which is an attraction in itself! This
variety of one- to four-day skill-based short courses.
property features the Forum Shops with over 160 stores and
14 restaurants. The Garden of the Gods pool complex has 2. Why settle for second best?
just doubled in size. During SANS Network Security 2010, the If you want to increase your understanding of
hotel tentatively has informed us that the Coliseum will have information security and become more effective in
performances by Jerry Seinfeld and Cher. The hotel also has your job, you need to be trained by the best. “SANS
various dining options from high-end celebrity restaurants and provides by far the most in-depth security training
all-you-can-eat buffets to the Market Street Grill, a food court that with the true experts in the field as instructors,” says
is quite popular for a quick bite!
Mark Smith, Costco Wholesale.
Caesars Palace has the largest square footage of any hotel on 3. Challenge yourself!
the strip. Since it will take approximately 10 minutes alone to Consider attempting GIAC (Global Information
get from the front door to your classroom, we advise staying Assurance Certification), the industry’s most
inside the hotel. We also highly recommend you book early since respected technical security certification. GIAC is the
we will not be able to guarantee our special group rate after the
only information security certification for advanced
technical subject areas, including audit, intrusion
deadline. Most guest rooms at Caesars Palace are right next door
detection, incident handling, firewalls and perimeter
to our classrooms, and you will not even need to walk through the
protection, forensics, hacker techniques, and
casino. As an extra treat, you will receive complimentary high-speed
Windows and Unix operating system security.
Internet – but only if you book under the special SANS group rate.
Even though it will be warm outside, you still want to bring a
4. Become part of an elite group.
We’re referring to the group of technical, security-
jacket for the climate-controlled classrooms and cooler evenings.
savvy professionals who have had hands-on training
You will also want to check out the SANS Network Security
through SANS. Material taught in the SANS courses
2010 program guide for all of the action-packed presentations,
directly applies to real-world challenges in your
receptions, and events as well as the social board for student
IT environment. “Six days of training gave me six
gatherings around the city. Please feel free to send me an e-mail months of work to do,” says Steven Marscovetra of
at [email protected] for more recommendations of things to do in Norinchukin Bank. “It is amazing how much of the
Las Vegas. training I can apply immediately at work.”
Our goal is to ensure that you have the best possible time at
5. Don’t miss out on a good opportunity!
SANS Network Security 2010! This is your chance to make a great career move, be
taught by the cream of the crop, challenge yourself, and
Brian Correia become part of an elite group during a full week of IT
Director, Business Development & Venue Planning security education and networking opportunities. Come
prepared to learn; we will come prepared to teach.
mastered.” Security Leadership Essentials for Managers needs. As you review this brochure, be aware that not only can you select a
information security training, certification, and research in the world. job-based, full course for complete immersion training, but you can also select
-JASON FOWLER, UBC
+S™ Training Program for the CISSP® Cert Exam a short, skill-based course of a day or two either before or after to maximize your
training investment. Course topics include Implementing and Auditing the Twenty
Auditing Networks, Perimeters & Systems Here is what a few
Five Tips to Get Approval for SANS Training ks in
Critical Security Controls – In Depth, Virtualization Security Fundamentals, and much,
of last year’s attendees
SANS WhatWor Intrusion Detection In-Depth much more! Many of the hottest new courses are selling out, so register today!
ance
nd PCI Compli had to say:
1. EXPLORE 4. ADD VALUE
Legal Issues a curity Summit is Networking is a hidden jewel at Network Security 2010! Where else will you meet
n Se
• Read this brochure and note the courses that will enhance your • Share with your boss that you can add value to your experience in Informatio njunction with Web App Penetration Testing and Ethical Hacking others in your field or in your role who deal with the same exploits and challenges
co
role at your organization. by meeting with network security experts - people who face the being held in 10 – Sept 22 - 29. you do? Several networking opportunities are available at SANS Network Security “Again, SANS has
same type of challenges that you face every single day. ri ty 20
Network Secu
• Use the Roadmap to arm yourself with all the necessary …and more than 30 other courses in network and software 2010. Along with your course, you can attend the SANS@Night presentations, managed to take
materials to make a good case for attending a SANS training • Explain how you will be able to get and share great ideas on www.s ans.org/ security, forensics, legal, management, and IT audit.
-2010
-tech-summit evening talks with keynote speakers like Lenny Zeltser and Jason Fossen, and our incredibly complicated
event. improving your IT productivity and efficiency. pci-legal-info
Vendor events. SANS Network Security 2010 Vendor Expo provides a look at solutions material and make it
• Note that the core, job-based courses can be complemented • Enhance your SANS training experience with SANS@Night talks and vendor products that can help address your organization’s key security issues. In
by short, skill-based courses of one or two days. We also offer and the Vendor Expo, which are free and only available at live easy to understand”
addition, we will be featuring Lunch & Learn sessions and Cocktail Briefs throughout
deep discounts for bundled course packages. Consider a GIAC training events.
this event so take advantage of these great networking opportunities. -MARC STOUFER, MEIJER
Certification, which will show the world that you have achieved • Take advantage of the special SANS host hotel rate so you will
proven expertise in your chosen field. be right where the action is! Enhance your learning by attending the Legal Issues & PCI Compliance in Information
2. RELATE 5. ACT Security Summit 2010 being held in conjunction with Network Security 2010. “I like the fact that
• Show how recent problems or issues will be solved with the • With the fortitude and initiative you have demonstrated thus The information technology industry changes daily, and the challenges you face this course contained
knowledge you gain from the SANS course. far, you can confidently seek approval to attend SANS training! are undoubtedly complex. If you know any key stakeholders in the security of your no fluff. All the
• Promise to share what you’ve learned with your colleagues. organization, take them to Las Vegas this fall. They’ll be glad they came! information was of
Return on Investment: SANS training events are
3. SAVE recognized as the best place in the world to get It is our goal to help you get the most out of your SANS Network Security 2010 benefit and no time
• The earlier you sign up, the more you save, so explain the information security education. With SANS, you experience. If you have suggestions on how we can better help you find the
was wasted”
benefit of signing up early. will gain significant return on investment (ROI) for information you need, then I would love to hear from you, [email protected].
your InfoSec investment. Through our intensive -AMALIA DOMINGUEZ,
• Save even more with group discounts! See inside for details. See you in Las Vegas!
immersion classes, our training is designed to help NV ENERGY
your staff master the practical steps necessary Kind regards, When you register, be sure to use
for defending systems and networks against the the promo code on the back of this
most dangerous threats – the ones being actively At brochure. Those who do will receive “No other training
Save $400 when you exploited. Caesar’s Palace a special invitation to the has provided such
register for SANS NS2010 Remember: SANS is your first and best choice for Stephen Northcutt
SANS Presidential Reception. instant value to me as a
by August 11, 2010 information and software security training. The President professional and to
www.sans.org/ SANS Promise is “You will be able to apply our The SANS Technology Institute, a postgraduate computer security college my company.
network-security-2010 information security training the day you get back Register at
to the office!” www.sans.org/network-security-2010 *Based on SC Magazine’s Best Professional Training Program Award 2010 -TERRY PACK, WELLPOINT