12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

This course will teach you the most effective steps to prevent attacks and detect adversaries with
actionable techniques that can be used as soon as you get back to work. You will learn tips and tricks
designed to help you win the battle against the wide range of cyber adversaries that want to harm your
environment.

Organizations are going to be targeted, so they must be prepared for eventual compromise. Today more
than ever before, TIMELY detection and response is critical. The longer an adversary is present in your
environment, the more devastating and damaging the impact becomes. The most important question in
information security may well be, "How quickly can we detect, respond, and REMEDIATE an adversary?"

Information security is all about making sure you focus on the right areas of defense, especially as
applied to the uniqueness of YOUR organization. In SEC401, you will learn the language and underlying

Feedback
workings of computer and information security, and how best to apply them to your unique needs. You
will gain the essential and effective security knowledge you will need if you are given the responsibility
to secure systems or organizations.

Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401
will provide the essential information security skills and techniques you need to protect and secure your
critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show
you how to directly apply the concepts learned into a winning defensive strategy, all in the terms of the
modern adversary. This is how we fight; this is how we win!

BUSINESS TAKEAWAYS:

This course will help your organization:

Address high-priority security problems

Leverage the strengths and differences among the top three cloud providers (AWS, Microsoft Azure,
and Google Cloud Platform)
Build a network visibility map to validate the attack surface
Reduce your organization's attack surface through hardening and configuration management

You will learn (applied to on-premise and in the Cloud)

The core areas of cybersecurity and how to create a security program that is built on a foundation of
Detection, Response, and Prevention

Practical tips and tricks that focus on addressing high-priority security problems within your
organization and doing the right things that lead to security solutions that work
How adversaries adapt tactics and techniques, and importantly how to adapt your defense
accordingly
What ransomware is and how to better defend against it
How to leverage a defensible network architecture (VLANs, NAC, and 802.1x) based on advanced
persistent threat indicators of compromise

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 2/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

The Identity and Access Management (IAM) methodology, including aspects of strong authentication
(Multi-Factor Authentication)
How to leverage the strengths and differences among the top three cloud providers (Amazon,
Microsoft, and Google), including the concepts of multi-cloud
How to identify visible weaknesses of a system using various tools and, once vulnerabilities are
discovered, configure the system to be more secure (realistic and practical application of a capable
vulnerability management program)
How to sniff network communication protocols to determine the content of network communication
(including access credentials) using tools such as tcpdump and Wireshark
How to use Windows, Linux, and macOS command line tools to analyze a system looking for high-
risk indicators of compromise, as well as the concepts of basic scripting for the automation of
continuous monitoring

Feedback
How to build a network visibility map that can be used to validate the attack surface and determine
the best methodology to reduce the attack surface through hardening and configuration
management
Why some organizations win and why some lose when it comes to security, and most importantly,
how to be on the winning side

With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending
against attacks is an ongoing challenge, with new threats emerging all the time, including a next
generation of threats. In order to be successful in defending an environment, organizations need to
understand what really works in cybersecurity. What has worked - and will always work - is taking a risk-
based approach to cyber defense.

Hands-On Training

Our hands-on labs help students master the content and gain a deeper understanding of the concepts
they are learning. We've built these labs to further develop skills in a controlled environment.

Section 1: tcpdump; Wireshark; Aircrack-ng

Section 2: hashcat; Cain and Abel; Application Control (Whitelisting)
Section 3: Nmap; Malicious Software; Command Injection; hping3
Section 4: Image Steganography; GNU Privacy Guard (GPG); Snort; Hashing
Section 5: Process Hacker; NTFS Permissions Reporter; SECEDIT.EXE; PowerShell Scripting

"SEC401 covered a very wide range of security technologies, processes, and tools that will really open
your eyes. I liked how the course shows that not everything is magic, and packets of data can be
interpreted even without fancy tools. The labs were great for demonstrating the concepts, with flawless
instruction and seamless packet capture." - Fei Ma, DESE

What You Will Receive

Course books and labs

TCP IP reference guides

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 3/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

MP3 audio files of the complete course lecture

Notice:

This course prepares you for the GSEC certification that meets the requirements of the DoD8140 IAT
Level 2.

SANS Video
Why Level Up with SANS SEC401?

Feedback
Syllabus
(46 CPEs)
Download PDF

SEC401.1: Network Security and Cloud Essentials

Overview

A typical way attackers can access companies' resources is through a network connected to the internet.
Organizations try to prevent as many attacks as possible, but since not all attacks will ultimately be
prevented, they must be detected in a timely manner. It is therefore critical to understand how to build a
defensible network architecture, including the types of network designs and the relational
communication flows.

In any organization large or small, all data is not created equal. Some data is routine and incidental,
while other data can be vastly sensitive and critical, and its loss can cause irreparable harm to an
organization. It is essential to understand how network-based attacks bring risk to critical data and how

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 4/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

an organization is vulnerable to such attacks. To achieve this, we need to become familiar with
communication protocols of modern networks.

Cloud computing becomes an obvious topic of discussion in relation to our modern public and private
networks. A conversation on defensible networking would not be complete without an in-depth
discussion of what the cloud is, and most importantly, the security abilities (and related concerns) of the
cloud that must also be taken into account.

Adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting
from system to system on our network until they achieve their long-term goals. Said differently,
adversaries need to use OUR network to achieve THEIR goals. By understanding how our networks
function (relative to our unique needs), we can more easily uncover the activities of adversaries.

Feedback
By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet
Analysis, Virtualization and Cloud Essentials, and Wireless Network Security.

Exercises

Virtualized environment setup

Sniffing and analysis of network traffic including tcpdump
Sniffing, protocol decoding, and extraction of network traffic using Wireshark
Wireshark network communication attacks

Topics

Module 1: An Introduction to SE401

This course is unique in its coverage of more than 30 topics of information security. This introductory
module reviews the structure of the course and the logistics of the class in concert with the "bootcamp"
hours and provides an overall thematic view of the course topics.

Module 2: Defensible Network Architecture

To properly secure and defend a network, you must first have a clear and strong understanding of both
the logical and physical components of network architecture. Above and beyond an understanding of
network architecture, however, properly securing and defending a network will further require an
understanding of how adversaries abuse the information systems of our network to achieve their goals.

Network Architecture
Attacks Against Network Devices
Network Topologies
Network Design

Module 3: Protocols and Packet Analysis

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 5/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

A solid understanding of the interworking of networks enables you to more effectively recognize, analyze,
and respond to the latest (perhaps unpublished) attacks. This module introduces the core areas of
computer networks and protocols.

Network Protocols Overview

Layer 3 Protocols
Internet Protocol
Internet Control Message Protocol

Layer 4 Protocols
Transmission Control Protocol
User Datagram Protocol

Feedback
Tcpdump

Module 4: Virtualization and Cloud Essentials

This module will examine what virtualization is, the security benefits and the risks of a virtualized
environment, and the differences in virtualization architecture. Because cloud computing is architected
on virtualization, the module concludes with an extensive discussion of what the public and private cloud
is, how it works, the services made available by the public cloud (including security offerings), and related
security concepts.

Virtualization Overview
Virtualization Security
Cloud Overview
Cloud Security

Module 5: Securing Wireless Networks

This module will explain the differences between the various types of wireless communication
technologies available today, the insecurities present in those communications, and approaches to reduce
the risk of those insecurities to a more acceptable level.

The Pervasiveness of Wireless Communications

Traditional Wireless: IEEE 802.11 and its Continual Evolution
Personal Area Networks
5G Cellular (Mobile) Communications
The Internet of Things

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 6/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

SEC401.2: Defense in Depth

Overview

This section of the course looks at the big picture threats to our systems and how to defend against them.
We will learn that protections need to be layered, leveraging a principle called defense in depth.

The section starts with information assurance foundations. We look at security threats and how they
impact confidentiality, integrity, and availability. The most common aspect of defense in depth is
predicated on access controls, and so we move into a discussion on the aspects of identity and access
management (IAM). We will see that while passwords (the most common factor of authentication) were to

Feedback
be deprecated and moved away from, this has not been the case and we still struggle today with
compromises that result from credential theft. What we can leverage for modern authentication becomes
the focus of the discussion on authentication and password security, especially as it applies to cloud
computing. Many consider that IAM is the new security perimeter for cloud-based functionality, so the
importance of its strong application cannot be understated.

Toward the end of this section, we will shift the focus toward modern security controls that work in the
presence of the modern adversary. This is done by leveraging Center for Internet Security (CIS) Controls,
the NIST Cybersecurity Framework, and the MITRE ATT&CK knowledge base. In circling back to earlier
course content on network architecture, we might naturally be curious as to what else can be done using
an overall environmental focus to best secure our data in transit and at rest. This leads to a larger
discussion on data loss protection techniques.

Last but certainly not least, a discussion of defense in depth would not be complete without touching on
perhaps one of the most important techniques that is more heavily relied upon than ever before - mobile
devices. The course section will conclude with a thorough discussion of the benefits (and security risks) of
mobile devices ranging from Bring Your Own Device (BYOD) to Mobile Device Management (MDM).

Exercises
Linux and bitcoin wallet password hash cracking with Hashcat
Windows password hash cracking with Cain and Abel
Application control with AppLocker by Microsoft

Topics

Module 6: Defense in Depth

This module examines threats to our systems and takes a big picture look at how to defend against them.
We will learn that protections need to be layered, a principle called defense in depth, and explain some
principles that will serve you well in protecting your systems.

Defense in Depth Overview

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 7/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Risk = Threat x Vulnerability

Confidentiality, Integrity and Availability

Strategies for Defense in Depth

Core Security Strategies
Defense in Depth in the Cloud
Zero Trust Methodology
Variable Trust

Module 7: Identity and Access Management

This module discusses the principles of identity management and access control. Access control models

Feedback
vary in their approaches to security. We will explore their underlying principles, strengths, and
weaknesses. The module includes a brief discussion on authentication and authorization protocols and
control.

Digital Identity
Authentication
Authorization
Accountability

Identity Access Management

Single Sign On (SOS): On-Premise and Cloud
Traditional SSO
SAML 2.0
0Auth 2.0

Access Control
Controlling Access
Managing Access
Monitoring Access

Privileged Access Management: On-Premise and Cloud

Module 8: Authentication and Password Security

A discussion of identity and access management naturally leads to a conversation on authentication and
password security. We will spend time discussing the various types of authentication: something you
know, something you have, and something you are. We will focus specifically on the most common (and
problematic) example of something you know authentication type (the password).

Authentication Types
Something You Know
Something You Have
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 8/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Something You Are

Password Management
Password Techniques
Password (Passphrase) Policies
Password Storage
Key Derivation Functions
How Password Assessment Works
Password Attack Tools
Hashcat
Mimikatz

Feedback
Multi-Factor Authentication
Adaptive Authentication

Module 9: Security Frameworks

In implementing security, it is important to have a framework that includes proper metrics. As is often
said, you cannot manage what you cannot measure. This module focuses on three frameworks: The
Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks
they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in
managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and
techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk
from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will
help put us in solid footing in defending against the modern adversary.

Introduction to the CIS Controls

Guiding Principles
Case Study: Sample CIS Control
Case Study: SolarWinds

NIST Cybersecurity Framework

Framework Core
Implementation Tiers
Framework Profiles

MITRE ATT&CK
Techniques
Mapping to Known Adversaries

Module 10: Data Loss Prevention

Loss or leakage?

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 9/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in
any way by a user and or software (application). A data breach is, in most cases, an intentional or
unintentional security incident. Such incidents can lead to, among other things, unintentional information
disclosure, data leakage, and data spill. This module covers exactly what constitutes data loss or leakage,
and the methodologies that can be leveraged to implement an appropriate data-loss prevention
capability.

Loss or Leakage
Data Loss
Data Leakage
Ransomware

Feedback
Preventative Strategies
Redundancy (On-Premise and Cloud)
Data Recovery

Related Regulatory Requirements

GDPR
CCPA

Data Loss Prevention Tools

Defending Against Data Exfiltration
Honeypots
User Activity Monitoring

Module 11: Mobile Device Security

This module starts with a quick comparison of the Android and iOS mobile operating systems and what
makes them so different. The module concludes with a brief discussion of the security features of both
systems.

Android versus iOS

Android Security
Android Security Features
What You Need to Know About Android
Android Fragmentation
Android Security Fix Process

Apple iOS Security

Apple iOS Security Features
What to Know About iOS
iOS Updates

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 10/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Mobile Problems and Opportunities

Mobile Device Management
Unlocking, Rooting, and Jailbreaking
Mitigating Mobile Malware
Android Malware
iOS Malware

SEC401.3: Vulnerability Management and Response

Feedback
Overview

In this section the focus shifts to various areas of our environment where vulnerabilities arise. We will
begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a
proper vulnerability assessment program.

Penetration testing is often discussed in concert with vulnerability assessment, even though vulnerability
assessment and penetration testing are quite distinct from each other. So, in concluding our discussion of
vulnerability assessments, we move on to a proper and distinct discussion on what penetration testing is
and how best to leverage its benefits.

Because vulnerabilities represent weaknesses that adversaries exploit, a discussion of vulnerabilities

would not be incomplete without a serious discussion of modern attack methodologies based on real-
world examples of compromise. Of all the potential areas for vulnerabilities in our environment, web
applications represent one of the most substantial, with the most consequential risk. The extensive
nature of vulnerabilities that can arise from web applications dictate that we focus the attention of this
entire module on web application security concepts.

While it is true that vulnerabilities allow adversaries to penetrate our systems, sometimes with great
ease, it is impossible for those adversaries to remain entirely hidden post-compromise. In leveraging the
logging capabilities of our hardware and software, we might detect the adversary in a timely manner.
How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log
Management.

Last but not least, we will need to have a plan of action for a proper response to the compromise of our
environment. The methodology for an appropriate incident response is the subject of the final module of
this section.

Exercises
System, port, and vulnerability discovery with Nmap
Trojan software
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 11/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Leveraging application vulnerabilities for command injection

Malicious network packet crafting

Topics

Module 12: Vulnerability Assessments

This module covers the tools, technology, and techniques used for reconnaissance (including gathering
information), the mapping of networks, and scanning of vulnerabilities, all within the scope of a proper
vulnerability framework.

Introduction to Vulnerability Assessments

Steps to Perform a Vulnerability Assessment

Feedback
Criticality and Risks

Module 13: Penetration Testing

The role of penetration testing, which is well understood by most organizations, gave rise to newer
testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is
limited in scope to where the testers are not truly able to emulate and mimic the behaviors of
adversaries. This is where the red teaming and adversary emulation come into play. A methodical and
meticulous approach to penetration testing is needed to provide business value to your organization.

The What and Why of Penetration Testing

Red Team
Adversary Emulation
Purple Team

Types of Penetration Testing

External
Internal
Web Application
Social Engineering
Mobile Device Testing
Internet of Things Testing

Penetration Testing Process

Penetration Testing Tools
Nmap
Metasploit
Meterpreter
C2 Frameworks and Implants

Password Compromise, Reuse, Stuffing, and Spraying

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 12/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Module 14: Attacks and Malicious Software

This module will examine the Marriott breach, which compromised millions of records globally, as well as
ransomware attacks that continue to cripple hundreds and thousands of systems across different
industries. We will describe the attacks in detail, discussing not only the conditions that made them
possible, but also some strategies that can be used to help manage the risks associated with such
attacks.

High-Profile Breaches and Ransomware

Ransomware as a Service
Common Attack Techniques
Malware and Analysis

Feedback
Module 15: Web Application Security

This module looks at some of the most important things to know about designing and deploying secure
web applications. We start with an examination of the basics of web communications, then move on to
cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how
to identify and fix vulnerabilities in web applications.

Web Communication Fundamentals

Cookies
HTTPS

Developing Secure Web Apps

OWASP Top Ten
Basics of Secure Coding

Web Application Vulnerabilities

Authentication
Access Control
Session Tracking/Maintaining State

Web Application Monitoring

Web Application Firewall (WAF)
Monolithic Architecture and Security Controls
Microservice Architecture and Related Attack Surface

Module 16: Security Operations and Log Management

This module covers the essential components of logging, how to properly manage logging, and the
considerations that factor into leveraging logging to its fullest potential.

Logging Overview

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 13/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Log Collection Architecture

Log Filtering
Lack of Accepted Log Standards

Setting Up and Configuring Log Standards

Log Analysis Tools
Phased Approach
Log Aggregation, Security Information, and Event Management

Key Logging Activity

Module 17: Digital Forensics and Incident Response

Feedback
This module explores the fundamentals of incident handling and why it is important to an organization.
We will outline a multi-step process to create our own incident handling procedures and response plans.
Being able to leverage digital forensic methodologies to ensure that processes are repeatable and
verifiable will also be a key focus of the material.

Introduction to Digital Forensics

What is Digital Forensics?
Digital Forensics in Practice
The Investigative Process
Remaining Forensically Sound
Examples of Examining Forensics Artifacts
DFIR Subdisciplines
Digital Forensics Tools

Incident Handling Fundamentals

Multi-Step Process for Handling an Incident
Incident Response: Threat Hunting

SEC401.4: Data Security Technologies

Overview

There is no silver bullet when it comes to security. However, there is one technology that would help
solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography.
During the first half of this section, we will look at various aspects of cryptographic concepts and how
they can be used to help secure an organization's assets. A related discipline, steganography (information
hiding), will also be covered. During the second half of the section, we shift our focus to the various types

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 14/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

of prevention technologies that can be used to stop an adversary from gaining access to our organization
(firewalls, intrusion prevention systems). We will also look at the different detection technologies that
can detect the presence of an adversary (intrusion detection systems). These prevention and detection
techniques can be deployed from a network and/or endpoint perspective, and we will explore their
similarities and differences.

Exercises

Hiding communication and data using steganographic tools

Practical application of cryptographic capability with GPG
Triggering and analysis of detection alerts with the Snort IDS
Automated detection of adversarial activity with hashing

Feedback
Topics

Module 18: Cryptography

Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity,
authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric,
asymmetric, and hashing. These systems are usually distinguished from one another by the number of
keys employed, as well as the security goals they achieve. This module discusses these different types of
cryptographic systems and how each type is used to provide a specific security function. The module also
introduces steganography, which is a means of hiding data in a carrier medium. Steganography can be
used for a variety of purposes but is most often used to conceal the fact that information is being sent or
stored.

Cryptosystem Fundamentals
Cryptography
Cryptanalysis

General Types of Cryptosystems

Symmetric
Asymmetric
Hashing

Digital Signatures
Steganography

Module 19: Cryptography Algorithms and Deployment

The content of this module will help us gain a high-level understanding of the mathematical concepts
that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic
defenses.

Cryptography Concepts
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 15/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Symmetric, Asymmetric, and Hashing Cryptosystems

AES
RSA
ECC

Cryptography Attacks (Cryptanalysis)

Module 20: Applying Cryptography

This module will discuss the practical applications of cryptography in terms of protection of data in
transit and protection of data at rest. We conclude with an important discussion on the management of
public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.

Feedback
Data in Transit

Virtual Private Networks (VPN)

IPsec
SSL-based
Security Implications

Data at Rest
File/Folder Level Encryption
Full Disk Encryption
GNU Privacy Guard (GPG)

Key Management
Public Key Infrastructure
Digital Certificates
Certificate Authorities

Module 21: Network Security Devices

Three main categories of network security devices will be discussed in this module: Firewalls, Network
Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they
provide a complement of prevention and detection capabilities.

Firewalls
Overview
Types of Firewalls
Configuration and Deployment

NIDS
Types of NIDS

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 16/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Snort as a NIDS

NIPS
Methods of Deployment
Security and Productivity Risk Considerations

Module 22: Endpoint Security

In this final module of the section, we examine some of the key components, strategies, and solutions for
implementing security from an endpoint perspective. This includes general approaches to endpoint
security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS
(HIPS).

Feedback
Endpoint Security Overview
Core Components of Endpoint Security
Enhancing Endpoint Security

Endpoint Security Solutions

Anti-malware
Endpoint Firewalls
Integrity Checking

HIDS and HIPS

Overview
Practical Considerations

SEC401.5: Windows and Azure Security

Overview

Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be
easier? A lot has changed over time. Now, we are Windows tablets, Azure, Active Directory, PowerShell,
Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure and so on. Microsoft is battling Google,
Apple, Amazon and other cloud giants for cloud supremacy. The trick, of course, is to do cloud securely.

Windows is the most widely used and targeted operating system on the planet. At the same time, the
complexities of Active Directory, Public Key Infrastructure, BitLocker, AppLocker, and User Account Control
represent both challenges and opportunities. This course section will help you quickly master the world
of Windows security while showing you the tools that can simplify and automate your work - both on-
premise and in the cloud (Microsoft Azure). You will complete the section with a good solid grounding in
Windows security by looking at automation and auditing capabilities for the Windows ecosystem.
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 17/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Exercises

Process observation and analysis with Process Hacker

NTFS file system practical using NTFS Permissions Reporter
Auditing and enforcement of system baseline configurations with security templates
PowerShell scripting and automation techniques

Topics

Module 23: Windows Security Infrastructure

This module discusses the infrastructure that supports Windows security. This is a big picture overview of
the Windows security model. It provides the background concepts necessary to understand everything

Feedback
else that follows.

Windows Family of Products

Windows Workgroups and Accounts
Windows Active Directory and Group Policy

Module 24: Windows as a Service

This module discusses techniques for managing Windows systems as it applies to updates (patches) as
well as new cloud-based deployment methodology (Windows Autopilot and Windows Virtual Desktop).

End of Support
Servicing Channels
Windows Update
Windows Server Update Services
Windows Autopilot
Windows Virtual Desktop
Third-Party Patch Management

Module 25: Windows Access Controls

This module focuses on understanding how permissions are applied in the Windows NT File System
(NTFS), Shared Folders, Registry Keys, Active Directory, and Privileges. BitLocker is discussed as another
form of access control (for encrypted information), and as a tool to help maintain the integrity of the
boot-up process if you have a Trusted Platform Module.

NTFS Permissions
Shared Folder Permissions
Registry Key Permissions
Active Directory Permissions
Privileges
BitLocker Drive Encryption
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 18/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Secure Boot

Module 26: Enforcing Security Policy

This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE,
which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look
at some of the most important changes that can be made through the use of this tool, such as password
policy, lockout policy, and null user session restrictions. We'll also briefly discuss Group Policy Objects
(GPOs) and the many best practice security configuration changes that they can help enforce throughout
the domain.

Applying Security Templates

Feedback
Employing the Security Configuration and Analysis Snap-in
Understanding Local Group Policy Objects
Understanding Domain Group Policy Objects
Administrative Users
Privileged Account Management
Reduction of Administrative Privileges

AppLocker
User Account Control
Windows Firewall
IPsec Authentication and Encryption
Remote Desktop Services
Recommended GPO Settings

Module 27: Microsoft Cloud Computing

Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is
known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange
Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and later versions for
integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's
important for your career as a security professional to understand the essential concepts of Microsoft
Azure.


Microsoft s All-In Bet on Cloud Computing
Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
Microsoft Azure
Azure Active Directory (Azure AD)
Azure AD Single Sign-On
Multi-Factor Authentication
Administrative Role Reduction
Endpoint Security Enforcement
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 19/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Microsoft Intune
Azure Conditional Access
Azure Key Vault
Azure Monitor
Azure Sentinel (SIEM and SOAR)
Azure Policy
Azure Security Center

Module 28: Automation, Logging, and Auditing

Automation, logging, and auditing go together because if we can't automate our work, the auditing work
doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make

Feedback
our work scale beyond the small number of machines that we can physically touch. Thankfully, modern
Windows systems come with a very powerful automation capability: PowerShell. We will learn what
PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change,
remediation of systems, and even threat hunting!

What Is Windows PowerShell?

Windows PowerShell versus PowerShell Core
Windows Subsystem for Linux (WSL)
Automation and Command-Line Capability in Azure
PowerShell Az Module
Azure CLI
Azure Cloud Shell
Azure Resource Manager Templates
Runbooks

Gathering Ongoing Operational Data

Employing Change Detection and Analysis

SEC401.6: Linux, AWS, and Mac Security

Overview

While organizations may not have many Linux systems, the Linux systems that they do have are often the
most critical systems that need to be protected. This course section focuses on the practical guidance
necessary to improve the security of any Linux system. The day provides practical how-to instructions
with background information for Linux beginners as well as security advice and best practices for
administrators with various levels of expertise.

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 20/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Since Linux is a perceived as being a free operating system, it is not a surprise that many advanced
security concepts are first developed for Linux. One example is containers, which provide powerful and
flexible concepts for cloud computing deployments. While not specifically designed for information
security purposes, containers are built on elements of minimizations, and that is something we can
leverage in an overall information security methodology (as part of defense in depth). In this section we
will discuss what containers do and do not represent for information security, as well as best practices for
their management.

A discussion of Linux and UNIX concepts would not be complete without a comparison discussion of AWS
in relation to Microsoft Azure discussion in section five of this course. We will examine fundamentals of
AWS and discuss the impressive security controls available. Last, but not least, we conclude the section
with a review of Apple's macOS (which is based on UNIX). Apple's venerable macOS provides extensive

Feedback
opportunities for hardware and software security, but is often misunderstood in terms of what can and
cannot actually be achieved.

Topics

Module 29: Linux Fundamentals

This module discusses the foundational items that are needed to understand how to configure and secure
a Linux system.

Operating System Comparison

Linux Vulnerabilities
Linux Operating System
Shell
Kernel
Filesystem
Linux Unified Key Setup

Linux Security Permissions

Linux User Accounts
Pluggable Authentication Modules
Built-in Command-Line Capability
Service Hardening
Package Management

Module 30: Linux Security Enhancements and Infrastructure

This module discusses security enhancement utilities that provide additional security and lockdown
capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging
capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-
known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 21/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

continues to age, it may end up being unable to provide the logging features that modern day cyber
defense demand. Because of this, we will explore additional logging enhancements ranging from Syslog-
ng to Auditd.

Operating System Enhancements

SELinux
AppArmor

Linux Hardening
Address Space Layout Randomization
Kernel Module Security
SSH Hardening

Feedback
CIS Hardening Guides and Utilities

Log Files

Key Log Files

Syslog
Syslog Security
Log Rotation
Centralized
Logging
Auditid
Firewalls: Network and Endpoint
Rootkit Detection

Module 31: Containerized Security

The importance of segmentation and isolated techniques cannot be understated. Isolation techniques can
help mitigate the initial damage caused by an adversary, giving us more time for detection. In this
module, we will discuss various types of isolation techniques, including virtualization and containers.
Containers are a relatively new concept (as applied to information security perspectives). There can be a
lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential
security issues that may come up within containers themselves. We will discuss what containers are, best
practices to deploy them, and how to secure them.

Virtualization
Containers versus Virtual Machines

Containers and Orchestration

LXC
Cgroups and Namespaces
Docker
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 22/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Docker Images
Kubernetes

Container Security
Docker Best Practices
Vulnerability Management
Secure Configuration Baselines
Terraform

Module 32: AWS Essentials, Controls, and Best Practices

In this extensive module, we discuss the foundational concepts of Amazon Web Services (AWS) necessary

Feedback
to provide a better understanding of the interaction among AWS and its more commonly used services.
These foundational concepts lend themselves to an overview of some of the specific security capabilities
and services made through AWS. Furthermore, we discuss these aspects of AWS in the terms of cloud best
practice, detailed by Amazon in its Well-Architected Framework.

Identity and Access Management in AWS

AWS IAM Key Concepts
Identity Federations and External Access
Amazon Cognito

Management Tools Within AWS

AWS Console
AWS CLI

AWS Commonly Used Services and Functionality

High-Availability
EC2
S3
Lambda
CloudFront
AWS Config
Amazon RDS

AWS Security Controls

NACLs versus Security Groups
AWS Network Firewall
AWS Shield and AWS Web Application Firewall
Amazon Macie
Key Management Service
Amazon Managed

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 23/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Customer Managed
HSM

Amazon CloudWatch
Amazon CloudTrail
Amazon GuardDuty

AWS Well-Architected Framework (Security Pillar)

Implement a Strong Identity Foundation
Enable Traceability
Apply Security at All Layers
Network

Feedback
Compute

Automate Security Best Practices

Protect Data in Transit and at Rest
Keep People Away from Data
Prepare for Security Events

Module 33: macOS Security

This module focuses on the security features that are built into macOS systems. Although macOS is a
relatively secure system that provides many different features, it can also be flawed just like any other
operating system.

What is macOS?
Privacy Controls
Keychain
Strong Passwords

Gatekeeper
Anti-Phishing and Download Protection
XProtect
Firewall
FireVault
Sandboxing and Runtime Protection
Security Enclaves
macOS Vulnerabilities and Malware

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 24/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

GIAC Security Essentials

The GIAC Security Essentials (GSEC) certification validates a practitioner's knowledge of information
security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they
are qualified for hands-on IT systems roles with respect to security tasks.

Defense in depth, access control and password management

Cryptography: basic concepts, algorithms and deployment, and application
Cloud: AWS fundamentals, Microsoft cloud
Defensible network architecture, networking and protocols, and network security
Incident handling and response, data loss prevention, mobile device security, vulnerability scanning

Feedback
and penetration testing
Linux: Fundamentals, hardening and securing
SIEM, critical controls, and exploit mitigation
Web communication security, virtualization and cloud security, and endpoint security
Windows: access controls, automation, auditing, forensics, security infrastructure, and services

More Certification Details

Prerequisites
SEC401 covers all of the core areas of security and assumes a basic understanding of technology,
networks, and security. For those who are new to the field and have no background knowledge, SEC275:
Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be
the recommended starting point. While these courses are not a prerequisite for SEC401, they do provide
the introductory knowledge to help maximize the experience with SEC401.

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read
and follow these instructions, you will likely leave the class unsatisfied because you will not be able to
participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to
arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a
system storing any sensitive data.

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 25/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Operating System

Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or
Linux that also can install and run VMware virtualization products described below.
Windows Credential Guard must be DISABLED (if running Windows as your host OS)

CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary
virtualization functionality and therefore cannot in any way be used for this course.

CPU

64-bit Intel i5/i7 2.0+ GHz processor

Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on

Feedback
Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your
processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo
at the top left-hand corner of your display and then click "About this Mac".

BIOS

Enabled "Intel-VT"
Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI
settings. You must be able to access your system's BIOS throughout the class. If your BIOS is
password-protected, you must have the password. This is absolutely required.

RAM

16 GB RAM (or more) is highly recommended for the best experience. To verify on Windows 10, press
Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be
toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of
your display and then click "About this Mac".

Hard Drive Free Space

100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute.
SSD drives are also highly recommended, as they allow virtual machines to run much faster than
mechanical hard drives.

Additional Requirements

The requirements below are in addition to the baseline requirements provided above. Prior to the start of
class, you must install VMware virtualization software and meet the additional software requirements as
described below.

VMware Player Install

VMware Workstation Player 15.5+, VMware Workstation Pro 15.5.+, or VMware Fusion 11.5+.
If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-
day trial copy from VMware. VMware will send you a time-limited serial number if you register for

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 26/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

the trial on its website. VMware Workstation Player is a free download that does not need a
commercial license but has fewer features than Workstation Pro. THIS IS CRITICAL: Other
virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with
the course material.

You must have administrator access to the host OS and to all installed security software.
You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any
drive encryption or other security software installed)

Your course media will be delivered via download. The media files for class can be large, some in the 20
GB range. You need to allow plenty of time for the download to complete. Internet connections and speed
vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate
of the length of time it will take to download your materials. Please start your course media downloads

Feedback
when you get the link. You will need your course media immediately on the first day of class. Waiting
until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an
electronic workbook in addition to the PDFs. The number of classes using electronic workbooks will grow
quickly. In this new environment, we have found that a second monitor and/or a tablet device can be
useful for keeping the class materials visible while the instructor is presenting or while you are working
on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement
From all observations of the world around us, it would appear that we might be living in a world of
never-ending compromise. At first glance, an increase in compromise might be attributed to having more
systems than ever before connected to more and more computer networks. On second glance, an increase
in compromise might be attributed to poor security practices. If having more systems connected to more
networks results in more compromise, we are in serious trouble. An ever-increasing number of systems
will continue to be connected in an increasingly connected world.

Surely today, with more security available to us than at any other time in the history of computing, an
ever-continuing increase in worldwide compromise can't be attributed to poor security practices. Or can
it? The truth is always complicated. It might be that we now live simultaneously in a world of ever-
increasing security capability AND ever-increasing compromise. As distressing as that might be, the
answer might be as simple as the notion that 'Offense informs Defense.'

In the spirt of that notion, SEC401 will provide you with real-world, immediately actionable knowledge
and information that will put you and your organization on the best footing possible to better counter the
modern adversary. Join us to learn how to fight, and how to win.

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 27/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Bryan Simon, Lead Course Author, SEC401

"Bryan Simon's knowledge and personal experience continue to astound me. SEC401 course content has
been incredibly useful and will be directly applicable to my job, and the labs have practical use and are
great demonstrations of the concepts presented in lectures." - Thomas Wilson, Agile Systems

Ways to Learn
OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and

Feedback
support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to
students worldwide.

In Person (6 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC401?

Security professionals who want to fill the gaps in their understanding of technical information security
Managers who want to understand information security beyond simple terminology and concepts
Operations personnel who do not have security as their primary job function but need an understanding of security
to be effective
IT engineers and supervisors who need to know how to build a defensible network against attacks
Administrators responsible for building and maintaining systems that are being targeted by attackers
Forensic specialists, penetration testers, and auditors who need a solid foundation of security principles to be as
effective as possible at their jobs
Anyone new to information security with some background in information systems and networking

NICE Framework Work Roles

Security Control Assessor (OPM 612)

Database Administrator (OPM 421)
Data Analyst (OPM 422)
Technical Support Specialist (OPM 411)

https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ 28/38
12/5/22, 7:39 PM Network, Endpoint, & Cloud Course - GIAC Security Essentials Certification | SANS SEC401

Network Operations Specialist (OPM 441)

System Administrator (OPM 451)
Systems Security Analyst (OPM 461)
Cyber Instructional Curriculum Developer (OPM 711)
IT Investment/Portfolio Manager (OPM 804)
Cyber Defense Analyst (OPM 511)
Cyber Defense Infrastructure Support Specialist (OPM 521)

See prerequisites

Feedback
Need to justify a training request to your manager?
Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Related Programs

DoDD 8140 (IAT Level II)

See how this and other SANS Courses and GIAC Certifications align with the Department of Defense Directive
8140.

Masters Program
This course and certification can be applied to a master's degree program at the SANS Technology Institute.

Reviews

Very well rounded training. SEC401 has been excellent

Great that he(the instructor)
https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/ experience all around It is 29/38