Penetration Testing and Ethical Hacking Hacker Techniques, Exploits

Document Sample
Penetration Testing and Ethical Hacking Hacker Techniques, Exploits Powered By Docstoc
					The right security training        Taught by the world’s highest-rated instructors,
       for your staff,                 hands-on immersion training courses:
     at the right time,          Penetration Testing and Ethical Hacking
  in the right location.
                              Hacker Techniques, Exploits, and Incident Handling
                                  Security Essentials Bootcamp Style
                                    Intrusion Detection In-Depth
                              Computer Forensics, Investigation, and Response
                               Security Leadership Essentials for Managers
 GIAC Approved Training
                                Hacking and Defending Wireless Networks

                                        And more than   40 other courses in
                                      Audit • Legal • Management
                                  Network Security • Application Security

                                                                         So much useful and
                                                                            intriguing info.”
                                                            -erIc estes, hourland FInancIal solutIons

                                                                                   Register at
                                                                                           Step 1 Choose The Right Course For You  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .2
                                                                                           Step 2 Convince Your Boss  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .4
                                                                                           Step 3 Earn Your GIAC Certification  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .6
Dear Colleagues,                                                                           DoD Information  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .7
                                                                                           GIAC Security Expert (GSE)  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .7
It is my pleasure to invite you to SANS                                                    Special Events/Vendor Networking Activities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .8
Network Security 2008, September
                                                                                           Skill-Based Short Courses
28-October 6, in Las Vegas. Please                                                         DEVELOPMENT: Application Security Courses
review this catalog to see the huge                                                        SEC419 Web Application Security Essentials  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .10
selection of courses that are available                                                    SEC522 Defending Web Applications  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .11
to bring you up to speed in your                                                           SEC538 Web Application Penetration Testing Fundamentals  .11
                                                                                           SEC542 Web Application Penetration Testing In-Depth  .  .  .  .  .  .11
profession. You simply cannot afford                                                       DEVELOPMENT: Secure Development Courses
to miss the information and training                         Stephen Northcutt             SEC536 Secure Coding for PCI Compliance  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .12
offered here specifically related to                                                       SEC541 Secure Coding in Java/JEE: Developing Defensible Apps 12
network security!                                                                          SEC545 PHP Secure Coding  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .12
Over 40 hands-on, immersion courses are scheduled with a dozen                             SEC610 REM: Malware Analysis Tools and Techniques  .  .  .  .  .  .  .13
new courses in the lineup at this major annual event. Turn the pages                       SEC601 REM: The Essentials of Malware Analysis  .  .  .  .  .  .  .  .  .  .  .13
for complete course information. If, after reviewing this brochure, you                    SEC602 REM: Additional Tools and Techniques  .  .  .  .  .  .  .  .  .  .  .  .  .13
                                                                                           SEC334 SANS Training for the CompTIA Security+ Cert . .  .  .  .  .  .13
need further assistance selecting courses that will best meet your                         SEC609 Security Research  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .13
needs, please e-mail me at, and I’ll try to help.                         SEC540 VoIP Security  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .14
                                                                                           SEC517 Cutting-Edge Hacking Techniques  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .14
This event is a great opportunity to sharpen your skills, and boost your                   SEC526 Next Evolution in Digital Forensics  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .15
career. NS2008 offers training and other opportunities that are simply                     SEC531 Windows Command-Line Kung Fu In-Depth  .  .  .  .  .  .  .  .15
not available anywhere else:                                                               SEC546 IPv6 Essentials  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .15
                                                                                           SEC553 Up and Running with the Metasploit Framework  .  .  .  .16
   • This event brings together the top-rated system security instructors in the           SEC556 Comprehensive Packet Analysis  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .16
     world, like Eric Cole, Joshua Wright, Ed Skoudis, Lenny Zeltzer, Chris Brenton,       SEC304 Software Security Awareness .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .16
     and Mike Poor.                                                                        SEC427 Browser Forensics  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .17
                                                                                           SEC550 Power Search with Google  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .17
   • Network Security 2008 courses address the actual problems security professionals      AUD521 Meeting the Minimum: PCI/DSS 1 .1  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .17
     face today. We have invited presentations from people who have solved real-world      MANAGEMENT
     problems and who will present “proven” solutions. Their real-world stories and        MGT421 SANS Leadership and Management Competencies  .  .18
                                                                                           MGT431 Secure Web Services for Managers  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .18
     solutions will enable you to leave with the knowledge and confidence to put the
                                                                                           MGT432 Information Security for Business Executives  .  .  .  .  .  .  .18
     things you learned to work right away.                                                HOSTED SERIES
   • In addition to being seasoned professionals, SANS faculty members are                 DIACAP  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .19
                                                                                           Mobile Phone Forensics Survival Course  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .19
     extraordinary speakers. They bring the knowledge to life.                             Macintosh Forensic Survival Course  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .19
   • Not only are the NS2008 instructors first-class, but so is the hotel. This year we    Job-Based 5-6 Day Courses
     return to Caesars Palace, one of the best facilities in the country to host a major   LEG523 Legal Issues in Info . Technology and Info . Security  .  .  .20
     training event.                                                                       MGT504 Hacking For Managers  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .21
                                                                                           AUD410 IT Security Audit and Control Essentials  .  .  .  .  .  .  .  .  .  .  .  .22
   • There will be numerous Lunch & Learn presentations and Cocktail Briefs to help you    AUD507 Auditing Networks, Perimeters, and Systems  .  .  .  .  .  .  .24
     find the right solutions for your company’s unique challenges. Our Vendor Tools       MGT411 SANS 17799/27001 Security and Audit Framework  .  .26
                                                                                           MGT414 SANS® +S™ Training Program for the CISSP® Cert Exam 28
     Expo & Reception will provide live demonstrations of cutting-edge technologies
                                                                                           MGT512 SANS Security Leadership Essentials for Managers  .  .  .30
     and tools you can use.                                                                MGT525 Project Management and Effective Communications  .32
   • The networking opportunities at NS2008 will put you in contact with skilled           SEC301 Intro to Information Security  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .34
                                                                                           SEC401 SANS Security Essentials Bootcamp Style .  .  .  .  .  .  .  .  .  .  .36
     experts who can help you when you need it. Valuable professional relationships        SEC501 Adv . Security Essentials ++ - GIAC Enclave Defender 40
     that last for years are forged at SANS events.                                        SEC502 Perimeter Protection In-Depth  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .42
                                                                                           SEC503 Intrusion Detection In-Depth  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .44
 “SANS provides by far the most in-depth security training with                            SEC504 Hacker Techniques, Exploits, and Incident Handling  .  .46
          the true experts in the field as instructors.”                                   SEC505 Securing Windows  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .50
                          -marK smIth, costco Wholesale                                    SEC506 Securing Unix/Linux  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .52
                                                                                           SEC508 Computer Forensics, Investigation, and Response  .  .  .54
Start making your plans today to join SANS in Vegas. I look forward to                     SEC509 Securing Oracle  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .56
meeting you there.                                                                         SEC560 Network Penetration Testing and Ethical Hacking  .  .  .58
                                                                                           SEC617 Hacking and Defending Wireless Networks  .  .  .  .  .  .  .  .  .60
                                                                                           SANS NETWORK SECURITY 2008 Resources
                                                                                           Future SANS Training Events/Training Without Travel .  .  .  .  .  .  .  .  .63
Stephen Northcutt
                                                                                           Hotel and Travel/Registration Information  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .64
President, The SANS Technology Institute,                                                  Fees and Registration Form  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .65
a computer security postgraduate college
                                                                        SUN	 MON	       TUE	    WED	    THU	    FRI	    SAT	    SUN	 MON	
                                                                        9/28 9/29 9/30 10/1 10/2 10/3 10/4 10/5 10/6
AUD410	 IT Security Audit and Control Essentials                                410.1 410.2 410.3 410.4 410.5 410.6
AUD507	 Auditing Networks, Perimeters, and Systems                              507.1 507.2 507.3 507.4 507.5 507.6
LEG523	 	 egal Issues in Information Technology and                             523.1 523.2 523.3 523.4 523.5

         Information Security
MGT411 SANS 17799/27001 Security and Audit Framework                            411.1 411.2 411.3 411.4 411.5 411.6
MGT414	 	SANS® +S™ Training Program for the CISSP® Certification Exam           414.1 414.2 414.3 414.4 414.5 414.6
MGT504	 Hacking For Managers                                                    504.1 504.2 504.3 504.4 504.5 504.6
MGT512	 	 ANS Security Leadership Essentials for Managers with                  512.1 512.2 512.3 512.4 512.5

         Knowledge Compression™
MGT525	 Project Management and Effective Communications for                     525.1 525.2 525.3 525.4 525.5 525.6
         Security Professionals and Managers
SEC301	 Intro to Information Security                                           301.1   301.2   301.3   301.4   301.5
SEC401	 SANS Security Essentials Bootcamp Style                                 401.1   401.2   401.3   401.4   401.5   401.6
SEC501	 	 dvanced Security Essentials ++ – GIAC Enclave Defender
                                                                                501.1   501.2   501.3   501.4   501.5
SEC502	 Perimeter Protection In-Depth                                           502.1   502.2   502.3   502.4   502.5   502.6
SEC503	 Intrusion Detection In-Depth                                            503.1   503.2   503.3   503.4   503.5   503.6
SEC504	 Hacker Techniques, Exploits, and Incident Handling                      504.1   504.2   504.3   504.4   504.5   504.6
SEC505	 Securing Windows                                                        505.1   505.2   505.3   505.4   505.5   505.6
SEC506	 Securing Unix/Linux
SEC508	 Computer Forensics, Investigation, and Response
SEC509	 Securing Oracle
SEC560	 Network Penetration Testing and Ethical Hacking                         560.1   560.2   560.3   560.4   560.5   560.6
SEC617	 Hacking and Defending Wireless Networks

                                                                                617.1   617.2   617.3   617.4   617.5   617.6
SEC304 Software Security Awareness                                        304
SEC334 SANS Training for the CompTIA Security+ Certification                  334.1 334.2 334.3 334.4
SEC419 Web Application Security Essentials                              419.1 419.2
MGT421 SANS Leadership and Management Competencies                       421

SEC427 Browser Forensics                                                  427
MGT431 Secure Web Services for Managers                                                                                         431.1 431.2
MGT432 Information Security for Business Executives                                                                              432 432
SEC517 Cutting-Edge Hacking Techniques                                   517
AUD521 Meeting the Minimum: PCI/DSS 1.1:

                                                                                                                                521.1 521.2
         Becoming and Staying Compliant
SEC522 Defending Web Applications                                                       522.1 522.2 522.3
SEC526 Next Evolution in Digital Forensics                                                                                      526
SEC531 Windows Command-Line Kung Fu In-Depth for Info Sec Pros           531
SEC536 Secure Coding for PCI Compliance                                                                                         536.1 536.2
SEC538 Web Application Penetration Testing Fundamentals
SEC540 VoIP Security
SEC541 Secure Coding in Java/JEE: Developing Defensible Applications
                                                                        538.1 538.2

                                                                                                541.1 541.2 541.3 541.4
                                                                                                                        540.1 540.2           •
SEC542 Web Application Penetration Testing In-Depth                                                         542.1 542.2 542.3 542.4
SEC545 PHP Secure Coding

                                                                                                                        545.1 545.2
SEC546 IPv6 Essentials                                                   546
SEC550 Power Search with Google                                         550
SEC553 Up and Running with the Metasploit Framework                      553
SEC556 Comprehensive Packet Analysis                                     556

SEC601 REM: The Essentials of Malware Analysis                                  601.1 601.2
SEC602 REM: Additional Tools and Techniques                                                     602.1 602.2
SEC609 Security Research                                                                                                        609.1 609.2
SEC610 REM: Malware Analysis Tools and Techniques                               610.1 610.2 610.3 610.4
HOSTED DIACAP                                                                    D.1   D.2   D.3   D.4   D.5
HOSTED Mobile Phone Forensics Survival Course
HOSTED Macintosh Forensic Survival Course
                                                                                MPF.1 MPF.2 MPF.3 MPF.4 MPF.5
                                                                                Mc.1 Mc.2 Mc.3 Mc.4 Mc.5                                      g
                                              STEP 1: CHooSE THE RIGHT CoURSE FoR YoU
Just starting a career in security?                                       Planning to Attend SANS NETWORK SECURITY 2008?
SEC301: Intro to Information Security (GISF) Page 34                      Use this guide to select the right training course to benefit
SANS	is	the	“MIT	of	Information	Security,”	and	this	introduc-              your career and increase your effectiveness on the job.
tory	certification	course	is	the	fastest	possible	way	to	get	up	               There’s something for everyone in security and
to	speed.		Understand	the	threats	and	risks	to	information	               operations – beginners, managers, auditors, consultants,
resources	and	identify	generally	accepted	best	practices.		                     and hands-on technical security professionals.

taking on technical tasks and need fundamental
skills and productivity tools?                                              SEC508: Computer Forensics, Investigation, and
                                                                            Response (GCFA) Page 54
SEC401: SANS Security Essentials Bootcamp Style (GSEC)                      Unpatched,	unprotected	computers	connected	to	the	Internet	
Page 36                                                                     are	compromised	in	less	than	three	days.		Investigators	must	
Maximize	your	training	time	and	turbo-charge	your	career	in	                master	a	variety	of	operating	systems,	investigation	techniques,	
security	by	learning	the	full	SANS	Security	Essentials	curriculum	          incident	response	tactics,	and	even	legal	issues	in	order	to	solve	
needed	to	qualify	for	the	GSEC	certification.		In	this	course	you	will	     their	cases.		This	course	emphasizes	a	hands-on	approach	so	
learn	the	language	and	underlying	theory	of	computer	security.		            you	will	learn	in-depth	open	source	and	commercial	forensic	
At	the	same	time	you	will	learn	the	essential,	up-to-the-minute	            tool	functionality	and	how	to	exploit	their	capabilities	in	a	
knowledge	and	skills	required	for	effective	performance	if	you	are	         variety	of	case	types.
given	the	responsibility	for	securing	systems	and/or	organizations.		
                                                                            AUD507: Auditing Networks, Perimeters, and Systems
Want to build on your technical security skills?                            (GSNA) Page 24
                                                                            This	course	is	the	end	product	of	over	one	hundred	skilled	
SEC501: Advanced Security Essentials ++ - GIAC Enclave
                                                                            system,	network,	and	security	administrators	working	with	one	
Defender Page 40
                                                                            common	goal—to	improve	the	state	of	information	security.		
Cyber	security	continues	to	be	a	critical	area	for	organizations	and	
                                                                            It	is	based	on	known	and	validated	threats	and	vulnerabilities	
will	continue	to	increase	in	importance	as	attacks	become	stealth-
                                                                            explained	from	real-world	situations	that	can	be	used	to	raise	
ier,	have	a	greater	financial	impact	on	an	organization,	and	cause	
                                                                            awareness	of	why	auditing	is	important.		From	these	threats	
reputational	damage.		Security	501	is	a	follow-on	to	Security	401	
                                                                            and	vulnerabilities	we	build	countermeasures	and	defenses,	
(with	no	overlap)	and	continues	to	focus	on	more	technical	areas	
                                                                            including	instrumentation,	metrics,	and	auditing.		
that	are	needed	to	protect	an	organization.	
SEC560: Network Penetration Testing and Ethical                             SEC502: Perimeter Protection In-Depth (GCFW) Page 42
Hacking (GPEN) Page 58                                                      This	course	takes	a	defense-in-depth	approach	to	locking	down	
Successful	penetration	testers	don’t	just	throw	a	bunch	of	hacks	           a	perimeter.		Every	layer	in	that	defense	is	covered	in	order	to	
against	an	organization	and	regurgitate	the	output	of	their	tools.	         ensure	that	your	perimeter	will	provide	maximum	protection	
Instead,	they	need	to	understand	how	these	tools	work	in	depth	             for	your	organization’s	resources.		Tools	are	introduced	to	
and	conduct	their	test	in	a	careful,	professional	manner.		This	course	     help	you	better	understand	traffic	flow	as	well	as	the	unique	
explains	the	inner	workings	of	numerous	tools	and	their	use	in	ef-          communication	characteristics	of	different	operating	systems.		
fective	network	penetration	testing	and	ethical	hacking	projects.           Concepts	like	packet	filters,	proxy	firewalls,	and	intrusion	
                                                                            detection	and	prevention	are	introduced	with	labs	to	increase	
SEC504: Hacker Techniques, Exploits, and Incident                           understanding	of	the	underlying	core	technology.
Handling (GCIH) Page 46
Learn	to	detect	malicious	code	and	respond	on	the	fly.	You’ll	              SEC505: Securing Windows (GCWN) Page 50
learn	how	your	networks	appear	to	hackers,	how	they	gain	                   This	program	brings	the	confusing	complexity	of	Windows	
access	with	special	emphasis	on	the	newer	attack	vectors,	and	              security	into	clear	focus	by	starting	with	foundational	security	
what	they	do	when	they	get	in	–	especially	in	manipulating	the	             services	and	advancing	in	a	logical	progression	to	particular	
system	to	hide	their	work.		Master	the	proven	six-step	process	             products	or	features	which	rely	on	these	foundations,	such	as	
of	incident	handling	so	you	are	prepared	to	be	the	technical	               IIS	and	IPSec.		This	course	provides	best	practices	for	security,	
leader	of	the	incident	handling	team.	                                      hands-on	exercises,	extensive	documentation/screenshots,	a	CD-
                                                                            ROM	of	security	scripts,	and	an	objective	account	of	Windows	
SEC503: Intrusion Detection In-Depth (GCIA) Page 44                         security	(neither	bashing	Microsoft	nor	toeing	the	party	line).		
The	emphasis	of	this	course	is	on	increasing	students’	under-               This	course	will	prepare	you	for	the	GIAC	Certified	Windows	
standing	of	the	workings	of	TCP/IP,	methods	of	network	traffic	             Security	Administrator	(GCWN)	certification	exam	and	many	of	
analysis,	and	one	specific	network	intrusion	detection	system	              the	MCSE:	Security	exams	as	well.
–	Snort.		This	course	is	not	a	comparison	or	demonstration	of	
multiple	NIDS.		Instead,	the	knowledge/information	provided	                     For SANS Technology Institute advanced degree
here	allows	students	to	better	understand	the	qualities	that	go	                        information visit:
into	a	sound	NIDS	and	the	whys	behind	them,	and	thus	be	better	
equipped	to	make	a	wise	selection	for	their	site’s	particular	needs.	
2   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008          To register for SANS NETWORK SECURITY 2008, visit
SEC506: Securing Unix/Linux (GCUX) Page 52
Experience	in-depth	coverage	of	Unix	security	issues.		Examine	
                                                                          promoted to security management (OR AbOUT TO bE)?
how	to	mitigate	or	eliminate	general	problems	that	apply	to	              MGT411: SANS 17799/27001 Security and Audit
all	Unix-like	operating	systems,	including	vulnerabilities	in	the	        Framework (G7799) Page 26
password	authentication	system,	file	system,	virtual	memory	              This	course	is	designed	for	information	security	officers	or	
system,	and	in	common	network	protocols	such	as	NFS,	NIS,	and	            other	management	professionals	who	are	looking	for	a	how-to	
the	Unix	RPC	mechanism.		Learn	the	exact	steps	necessary	to	              guide	for	implementing	ISO-17799:2005	effectively.		This	course	
secure	the	two	most	common	Unix	flavors	–	Solaris	and	Linux	              will	give	you	the	information	you	need	to	go	back	to	your	
–	and	get	specific	advice	for	securing	some	of	the	most	common	           organization	with	a	plan	of	action	to	get	the	job	done!
Internet	services	on	the	Unix	platform,	including	Apache,	WU-             MGT504: Hacking For Managers (GCIM) Page 21
FTPD,	Sendmail,	and	BIND.                                                 This	hands-on	course	is	designed	to	give	managers	with	IT	security	
SEC509: Securing oracle (GSoC) Page 56                                    responsibility	a	complete	understanding	of	how	hacker	attacks	
This	course	prepares	you	to	secure	Oracle	installations	or	to	            work	and	how	to	defend	against	them.		We	supply	skilled	teaching	
become	an	auditor	who	can	test	the	security	of	Oracle	instal-             assistants	and	a	laptop	with	all	the	tools	and	operating	systems	
lations.	It	teaches	you	the	principal	threats	and	vulnerabilities,	       needed	for	the	exercises.		This	course	is	an	adaptation	of		SEC504:	
how	to	protect	against	attacks	exploiting	those	vulnerabilities,	         Hacker	Techniques,	Exploits,	and	Incident	Handling	and	highlights	
and	how	to	use	the	new	Oracle	security	testing	tool	from	the	             the	management	implications	and	applications	of	the	technology.		
Center	for	Internet	Security	to	measure	and	monitor	your	Oracle	          MGT512: SANS Security Leadership Essentials for
security	status.		This	course	prepares	you	for	GSOC	certification.        Managers with Knowledge Compression™ (GSLC) Page 30
                                                                          This	course	is	designed	to	empower	senior	and	advancing	man-
Want to earn cissp® certification?                                        agers	who	want	to	get	up	to	speed	fast	on	information	security	
MGT414: SANS® +S™ Training Program for the CISSP®                         issues	and	terminology.		Lecture	sections	are	intense.		The	dili-
Certification Exam (GISP) Page 28                                         gent	manager	will	learn	vital,	up-to-date	knowledge	and	skills	
The	SANS	CISSP®	review	course	will	cover	the	security	concepts	           required	to	supervise	the	security	component	of	any	informa-
needed	in	order	to	pass	the	CISSP®	exam.		This	accelerated	               tion	technology	project.		Only	SANS’	top	instructors	are	invited	
review	course	assumes	the	student	has	a	basic	understanding	              to	teach	this	course	that	prepares	you	for	GSLC	certification.	
of	networks	and	operating	systems	and	focuses	solely	on	the	              MGT525: Project Management and Effective Communica-
ten	domains	of	knowledge	as	determined	by	ISC2.		Each	domain	             tions for Security Professionals and Managers (GCPM) Page 32
of	knowledge	is	dissected	into	its	critical	components.		Every	           This	curriculum	is	intended	to	give	you	the	knowledge	and	
component	is	discussed	showing	its	relationship	to	each	other	            tools	you	need	to	become	a	top-notch	project	manager	
and	other	areas	of	network	security.		This	course	also	prepares	          with	a	focus	on	effective	communication,	human	resources,	
you	for	the	GISP	certification.		(Note:	The	CISSP®	exam	is	NOT	           and	quality	management.		The	course	covers	all	aspects	of	
provided	as	part	of	the	training.)                                        project	management	from	planning	and	initiating	projects	to	
                                                                          managing	cost,	time,	and	quality	while	your	project	is	active	and	
Want to develop or maintain advanced                                      then	completing,	closing,	and	documenting	after	the	project	
technology securely?                                                      finishes.		A	copy	of	the	Project Management Institute’s Guide to
                                                                          the Project Management Body of Knowledge (PMBOKR Guide®)
SEC617: Hacking and Defending Wireless Networks                           - Third Edition	is	provided	to	all	participants.		
(GAWN) Page 60
Few	fields	are	as	complex	as	wireless	security.		This	course	             Want to learn security from a legal perspective?
breaks	down	the	issues	and	relevant	standards	that	affect	wire-
                                                                          LEG523: Legal Issues in Information Technology and
less	network	administrators,	auditors,	and	information	security	
                                                                          Information Security (GLEG) Page 20
professionals.		With	hands-on	labs	and	instruction	from	industry	
                                                                          Day	by	day,	as	legislation	and	lawsuits	become	more	com-
wireless	security	experts,	you	will	gain	an	intimate	understand-
                                                                          mon,	the	law	is	assuming	greater	influence	on	IT	security.		
ing	of	the	risks	threatening	wireless	networks.		After	identify-
                                                                          This	course	will	help	the	IT	and	legal	departments	better	
ing	risks	and	attacks,	we’ll	present	field-proven	techniques	for	
                                                                          understand	each	other	and	find	workable	solutions	to	prob-
mitigating	these	risks,	leveraging	powerful	open-source	and	
                                                                          lems.		Learn	how	to	word	a	security	policy	so	as	to	minimize	
commercial	tools	for	Linux	and	Windows	systems.			
                                                                          liability	if	your	enterprise	is	sued	for	losing	customer	data.		
auditing security or becoming an auditor?                                 This	course	will	prepare	you	for	GLEG	certification.	

AUD410: IT Security Audit and Control Essentials (GSAE)                   need to implement an application security program?
Page 22                                                                   SEC541: Secure Coding in Java/JEE: Developing
This	is	the	right	course	for	people	just	entering	the	security	           Defensible Applications Page 12
field	who	will	be	responsible	for	auditing	organizational	policy,	
                                                                          SEC542: Web Application Penetration Testing In-Depth
procedure,	risk,	or	policy	conformance.		Gain	a	firm	grasp	of	infor-
                                                                          Page 11
mation	security	principles	and	issues	and	learn	to	develop	best	
practice	audit	checklists.		This	course	prepares	you	for	Audit 507:       SEC522: Defending Web Applications Page 11
Auditing networks, Perimeters, And systems	and	for	GSAE	certification.	   The	application	layer	is	the	fastest	growing	attack	vector	and	
     For detailed descriptions of all SANS courses visit:                 pen	testing/ethical	hacking	is	the	hottest	skill	requirement	
                                                    for	career	growth.		SANS	has	a	full	curriculum	of	courses	to	
                                                                          address	offensive	and	defensive	skills	for	all	experience	levels	
  For GIAC Certification information visit:                  for	both	application	and	network	security	professionals.	

To register for SANS NETWORK SECURITY 2008, visit                 SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   3
                                                                 STEP 2: CoNvINCE YoUR BoSS
              The value of SANS training to an employer is measured by the actions students
               take to improve the security of their organizations when they return to work.

Security 301:	Intro to Information Security Page 34                                   Security 503:	Intrusion Detection In-Depth Page 44
“ This course is perfect for someone like me, who was moved into IT                   “Mike knows the topic like a master and teaches with a passion.”
  security from the IT Customer Service.” -Julie Howe, QuAlcomm                       -mike iBArrA,
    • Reviewed and updated our BCP and DR plans                                         • Hooked up the copy of Snort we used in class and found evidence of a hacked
    • Began a vulnerability assessment project                                            computer within 30 minutes
    • Gave me the place to start as a new ISSO                                          • Performed vulnerability assessments of the site’s assets
                                                                                        • Solved citrix client intermittent disconnection problem by examining
                                                                                          network traffic
Security 401: SANS Security Essentials
Bootcamp Style Page 36
                                                                                      Security 508: Computer Forensics, Investigation,
“An immense amount of information presented in a clear and logical
 format. The instrutor’s real-world experience was great for reinforcing              and Response Page 54
 each aspect of the course.” -cHuck wAtermAn, Booz Allen HAmilton                     “ The amount of knowledge gained from this class is staggering and
   • Implemented free tools that I learned about in class without increasing our        really prepares you to take on these problems in the real world.”
     security budget                                                                  -AntHony dimAreo, osteotecH, inc.
   • Found new uses for old tools that helped troubleshoot network security             • Responders will be able to gather electronic evidence using approved legal,
     problems                                                                             technical, and tool methodology
   • Reduced the number of security incidents involving automated deletions             • Incident response and system administration teams can respond to difficult
     by changing policies to limit admin privileges to users who absolutely must          intrusion related events as well as simpler e-discovery requests
     have them                                                                          • Forensic analysts will know how to communicate with management so
                                                                                          informed decisions can be easily made
Security 501: Advanced Security Essentials ++ -
GIAC Enclave Defender Page 40                                                         Audit 507: Auditing Networks, Perimeters,
This brand new course is ideally suited for students who have taken                   and Systems Page 24
Security Essentials and want a more advanced 500-level course similar                 “ The information was well presented with great real-world examples.
to SEC401 or anyone looking for detailed technical knowledge on                         Best of all, it is immediately applicable to my current job.”
how to protect against, detect, and react to the new threats that will                -leAn nosewortHy, college of tHe nortH AtlAntic QuArter
continue to cause harm to an organization.                                              • Significantly improved the presentation of audit results
   • Protection - configure a system or network correctly                               • Developed a solution for encryption of data at rest and in transit
   • Detection - identify that a breach has occurred at the system or network level     • Implemented system base-lining
   • Reaction - respond to an incident and moving to evidence collection/foren-
     sics if necessary
                                                                                      Security 502:	Perimeter Protection In-Depth Page 42
                                                                                      “Outstanding technical depth with a captivating teaching style.”
SEC560: Network Penetration Testing and                                               -BoB rion, lsg systems
Ethical Hacking Page 58                                                                 • Implemented more secure management of firewalls
This brand new course is ideally suited for system administrators,                      • Reviewed our site architecture
technical auditors, professional penetration testers, and consultants                   • Implemented controls using our firewall logs to identify policy problems
who want technical depth and hands-on experience with penetration
testing and ethical hacking tools.
                                                                                      Security 505:	Securing Windows Page 50
                                                                                      “Jason Fossen did a really great job of pumping out the information
Security 504: Hacker Techniques, Exploits, and                                         and keeping us entertained all at the same time.” -wAlter licHty, PermA
Incident Handling		Page 46                                                               • Implemented the CIS Gold Standard for Windows 2000
“I loved this course. Not only are there how to’s of all of the tools shown,             • Immediately worked on our IIS servers to remove vulnerabilities
 but then you get to test them on real systems.” -tim Pryor, student                     • Used scripting to automate tasks that used to take days
    • Defended against backdoors with sniffing capabilities
    • Analyzed internally developed code for format string vulnerabilities
    • Created a detection toolkit for help desk analysts

4     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                  To register for SANS NETWORK SECURITY 2008, visit
Security 506:	Securing Unix/Linux Page 52                                              Management 504:	Hacking For Managers Page 21
“ This course gives a great overview of the tools necessary to work with               “ They teach you the questions to ask and how to recognize the correct
  your file system.” -mike dAnnAy, educAtionAl service unit #2                           answers. You won’t be fooled again!”
   • Reviewed Unix system architecture                                                  -Jodi l. colBurn, colBurn grouP
   • Removed unneeded applications and thereby reduced our risk                          • Learn the questions to ask and how to recognize the right answers
   • Improved the security of our Internet reachable applications                        • Appropriate amount of technical detail for managers
     (DNS, Mail, Web)                                                                    • Hands-on exercises to reinforce concepts

Security 509: Securing oracle		Page 56                                                 Management 512:	SANS Security Leadership
“SANS has helped me see past what Oracle only wanted me to see!”                       Essentials for Managers with Knowledge
 -D.J.	Freeman,	City	Utilities	of	Springfield,	MO
                                                                                       Compression™ Page 30
   • Defined and implemented solid Oracle security standards and policies
                                                                                       “ This course opens the door to a much deeper area of information
   • Created valuable and useful tools to comprehensively audit an Oracle data-
     base and now understand how to secure one                                           needed to effectively manage the security of a network/application.”
                                                                                        -micHAel goldAmmer, l-3 com. gsi
   • Now understand the risk involved in storing and using critical data in an
     Oracle database                                                                     • Communicated objectives to senior management
                                                                                         • Gave me the right questions to ask my people
                                                                                         • Taught me how to implement a change control process so we don’t have to
Management 414:	SANS® +S™ Training Program for                                             troubleshoot all the time
the CISSP® Certification Exam Page 28
“ Very valuable, as it not only teaches the material, it also teaches how              Management 525:	Project Management and
  to take the exam effectively.”
 -steve BrAnt, nett APP
                                                                                       Effective Communications for Security
  • Used the practice tests to prepare for the CISSP® exam                             Professionals and Managers Page 32
  • Applied the case study information to our security policies                        “First class instructor. Real-world examples. Extremely useful tips and
  • Learned the security language so that I could communicate with the rest of         techniques. Highly recommended without any reservation.”
    the team                                                                           -AdegBolA odutolA, deloitte & toucHe llP
                                                                                         • Covered all the bases for effective project management
                                                                                         • Provided real-world examples for implementing in the workplace
Security 617: Hacking and Defending Wireless
                                                                                         • Enabled effective communication with project managers and team members
Networks		Page 60
“ This course is absolutely critical for any IT professional responsible for
  overseeing an existing wireless network.”                                            Legal 523:	Legal Issues in Information Technology
 -JosHuA Brown, fleisHmAn HillArd                                                      and Information Security Page 20
  • Better prepared to assess the security of the organization’s wireless network      “Excellent course! You’ll learn ‘All’ you need to know about current
  • Applied proven field techniques to improve network security through                 issues and trends that security professionals must address. Ben is an
    improved network design or by auditing existing deployments                         excellent instructor and is knowledgeable on security law.”
  • Learned to use powerful open-source analysis tools, providing a low-cost           -cArmen BAnks, dst systems
    alternative to expensive commercial products                                         • Contracting for data security
                                                                                         • Vendor compliance
Audit 410:	IT Security Audit and Control Essentials                                      • Specific case examples
Page 22
                                                                                          “SANS provides training on topics of real value
“SANS training has been the most practical and world class course I
 have attended as an auditor.”                                                           and focuses on many real-world issues that many
-kABir m. AsmA`i, centrAl BAnk of nigeriA                                                      organizations miss in the curriculum.”
  • Located and evaluated security controls for our transaction systems
  • Wrote my first audit report
                                                                                                             -dArren sPruell, Honeywell
  • Prepared group for an external audit

Management 411: SANS 17799/27001 Security and                                                              COURSE COLOR KEY
Audit Framework		Page 26
“ The examples and discussions were extremely helpful.
                                                                                                                            AU D I T
  This is my third SANS course, and it keeps getting better!”
 -ron BArnes, Boston scientific corPorAtion                                                                      D E v E Lo P M E N T
  • Made the creation of an ISMS a manageable process
  • Enabled us to create policies that management will approve, reducing time                                               LEGAL
    to deployment
  • Taught us how to really perform risk assessments                                                             MANAGEMENT
Visit for more detailed course descriptions and additional information.                 SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   5
                                         STEP 3: EARN YoUR CERTIFICATIoN
                                      Top Four Reasons to get GIAC certified
                                      1. The GIAC certification process promotes learning which
                                         improves your skills and knowledge retention.
                                           “The GIAC certification process forced me to dig deeper into the information that I was taught
                                           in class. As a result of this, I integrated this training into my practical skill set and improved my
                                           hands-on skills.” -Dean Farrington, inFormation Security engineer, WellS Fargo                        “The knowledge that I learned studying for my GCIH certification has helped me incorporate
                                           more defense in depth and to clearly justify how and why I must do these things. This has
      The Only                             helped me become more effective within my organization.” -laurie Zirkle, SyStemS aDminiStrator, Virginia tech
                                      2. GIAC certification is proof that you possess hands-on
                                         technical skills.
      Security                             “GIAC proves that I have a very solid technical background to support any challenge I deal
    Certification                          with every day. There are so many new tools coming up daily, but the underlying background
                                           essentially remains the same. -Wayne ho, BuSineSS inFormation Security oFFicer, gloBal Bank
    “Based on the track they did, I can quickly access their technical skills. If a person has multiple GIAC certifications, I know
    the person gets things done and has a very solid technical hands-on skill set. It also tells me that the individual has the
    discipline to study and pass very challenging certifications.” -Jim horWath

3. GIAC certification will position
   you to attain promotions and earn                                              Job                    SANS Course                GIAC Certification
   respect among your peers.
                                                                                  Security Analyst       SANS Security Essentials
    “I think the GIAC certification has definitely helped                                                Bootcamp Style
    provide credibility for me in the work place. This, in turn,
    has helped me be more effective at my job.”
    -matt auStin, Senior Security conSultant, Symantec
                                                                                  Intrusion Analyst      Intrusion Detection
    “I’ve become very respected for the knowledge I’ve                                                   In-Depth
    gained, and when I receive certifications or do other
    exciting things with GIAC, it gives me opportunities to get
    my name in front of company leaders.”                                         Incident Handler       Hacker Techniques, Exploits,
    -keVin Bong, VP netWork & Data Security, JohnSon Financial grouP                                     and Incident Handling
4. Hiring managers use GIAC
   certifications as an indicator of                                              Computer Forensics Computer Forensics,
   a candidate’s true hands-on                                                                       Investigation, and Response
   technical skills.
    “Hiring managers are always looking for ways to help
    sort through candidates. GIAC certifications are a major                      Information            SANS Security Leadership
    discriminator. They ensure that the candidate has hands-                      Security Manager       Essentials for Managers
    on technical skills.” -chriS Schock, hca netWork engineer
    “Raytheon places tremendous value on the GIAC
                                                                                  Information            Auditing Networks,
    certification because certification holders have
                                                                                  Security Auditor       Perimeters, and Systems
    hands-on technical skills. In fact, Raytheon compensates
    their professionals who earn GIAC certifications.”
                                                                                             To see other GIAC certifications,
    -JeFFrey Wiley, raytheon
                                                                                                   go to

6   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008               To register for SANS NETWORK SECURITY 2008, visit
   ALL DoD Contractors and Uniformed Personnel
                                                                                                                 Eric Expert
      Per DFAR Supplement Case 2006–D023:
    Contractor personnel accessing information
      systems must meet applicable training
          and certification requirements.

DoD Directive 8570 requires:
                                                                                         Announcing the 2008 GSE Exam
100% of ALL DoD contractors and DoD IA                                                 Where: SANS	Network	Security	2008	Conference,		
professionals must be certified within the next                                        October	2-3,	2008,	Las	Vegas,	NV
three years.                                                                           Registration deadline date: August	25,	2008

40% must be certified by the end of 2008.                                              For more info:	or		
All IA jobs will be categorized as ‘Technical’ or                                      The	most	prestigious	GIAC	credential	is	the	GSE	(GIAC	
                                                                                       Security	Expert).		This	is	an	elite	certification	geared	for	the	
‘Management’ Level I, II, or III, and to be qualified
                                                                                       ‘top	guns’	in	information	security	that	directly	validates	
for those jobs, you must be certified.                                                 hands-on	skills.		The	GSE	is	the	only	certification	in	the	
                                                                                       IT	security	industry	that	requires	candidates	to	actually	

          DoD Baseline IA Certifications                                               perform	the	task	before	they	can	achieve	the	certification.
                                                                                       The	GIAC	Security	Expert	(GSE)	testing	process	is	a	
         TECH I                     TECH II                    TECH III                multi-faceted	approach	that	is	the	most	rigorous	and	
       A+	                        GSEC                          GSE                    comprehensive	in	the	IT	security	industry.		It	involves	
    Network+                    Security+                      CISSP                   both	individual	hands-on	security	exercises,	technical	
      SSCP                        SCNP                         SCNA                    presentations,	research	and	essay	assignments	along	with	
                                  SSCP                          CISA                   multiple	choice	and	scenario	based	exams.

         MGT I
                                    MGT II
                                                               MGT III
                                                                                                           GIAC Mission
                                                                                       • Validate hands-on, job-based technical skills for information
      GISF                         CISSP                       CISSP
                                                                                         security professionals.
    Security+                      CISM                        CISM
                                                                                       • Increase the half-life of knowledge retention through the
        SANS NETWORK SECURITY 2008 offers training                                       certification exam preparation process.
               for the certifications in yellow
                                                                                       • Provide assurance to employers that their employees and
                                                                                         prospective candidates actually possess the deep technical
                                                                                         skills needed to do the job.
     Training for Certs
                                                                                       • Enhance the posture of the defensive information security
     COURSE               CERT                 “It’s not just about                      community through challenging and relevant exams that
   SEC301   GISF                               the cert, it’s about                      guarantee knowledge and practical skills.
   SEC334 Security+                              the knowledge                          The Only Hands-on Information Security Certification
   SEC401   GSEC
                                                gained in pursuit                                                              GIAC offers a certification for
   MGT414   CISSP                                                                                                                every major IT security job
   MGT512   GSLC
                                                    of the cert.”                                                               in the industry. A complete

   SEC401                                        -dAve Hull, trusted                                                               list of GIAC certifications
                                                    signAl, llc                                                                  and corresponding subject
   SEC503    GSE                                                                                                                        areas is available at:

Visit for more detailed course descriptions and additional information.                                                                       7
                                                                                                                      E V E N T S
        SANS has planned a very exciting array of special events including the Welcome
       Reception (families invited), evening talks with keynote speakers, and SANS@Night
       presentations. Attendees will have the opportunity to seek out technical solutions
          to take back to the office. Live demonstrations of cutting-edge products and
              services will enhance the learning process initiated in the classroom.
                                     See for details.

            ICE 2008                                                                   Keynote
    (Integrated Cyber Exercise)                                 The Ultimate Pen Test: Combining Network and
                                                                  Web App Techniques for World Domination
       a Pack Hunter event                                              Speakers: Ed Skoudis and Kevin Johnson

      The Internet
       - In a Box-
                                                                       Linux/Unix Command-Line Kung Fu
    With an Evil Twist                                                            Speaker: Hal Pomeranz
     Root DNS, NTP servers                           SALSA: Scalable & Agile Lifecycle Security for Applications
     and a wide collection                                                        Speaker: Jonathan Ham
      of public assets have
                                                                           The State of Remote Exploits
      expanded this year’s                                                        Speaker: Stephen Sims
       exercise into a scale
                                                                  The Law of E-mail Retention and E-Discovery
     model of the Internet.                                                         Speaker: Ben Wright
    The defender’s networks
                                                                        Future Trends in Network Security
        have real services                                                          Speaker: Dr. Eric Cole
     with real data. E-mail,
                                                                  Simple Principles to Protect Information and
        DNS, VoIP, SCADA,                                                Control Today and Tomorrow
     e-commerce and even                                                           Speaker: Matt Luallen
        online banking are
                                                              A Brief History of Hacking with Dave Shackleford
    online in this, the largest                                                 Speaker: Dave Shackleford
      public cyber exercise
                                                                      Incorporating Advanced MitM Attacks
       of its kind. Routers,                                           in Your Penetration Testing Regimen
      firewalls, servers and                                                     Speaker: Bryce Galbraith
       desktops will all be                                                         State of the Hack
       available for attack                                                           Speaker: Rob Lee
             or defend.                                               Visit for details.

8    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008           To register for SANS NETWORK SECURITY 2008, visit
                                                                                                                          NETWORKING ACTIVITIES

                         Finding the Right Tools and Services
        Here are just a few vendors that have participated at SANS events and are likely to be at SANS NETWORK SECURITY 2008:
                                                                                                                                 The SANS NETWORK
                                                                                                                                SECURITY 2008 Vendor
                                                                                                                                  Reception & Expo
                                                                                                                                   provides time for
                                                                                                                                quality interaction with
                                                                                                                                  vendors and peers.

                 SANS NETWORK SECURIT Y 2008                                                            SANS NETWORK SECURIT Y 2008
                      Vendor Expo                                                       Vendor Welcome Reception
                   Tuesday, September 30, 2008                                                Tuesday, September 30, 2008 • 5:00pm-8:00pm
               12:00pm-1:30pm and 5:00pm-8:00pm                                         Join	the	fun	at	the	SANS	Vendor	Welcome	Reception,	
                    Wednesday, October 1, 2008                                          September	30	at	5:00pm-7:30pm.		Engage	with	vendors	
                                                                                        and	get	hands-on	experience	with	the	latest	in	security	
                                                                                        technologies	throughout	the	industry.		Participate	in	the	
    The	SANS	Vendor	Expo	is	an	excellent	opportunity	                                   evening	raffle	featuring	prizes	sponsored	by	vendors	and	
    to	visit	with	leading	providers	of	firewalls,	intrusion	                            SANS.		Family	members	are	welcome	to	join!
    detection/prevention	systems,	and	enterprise	security	
    management	solutions.		Attendees	are	encouraged	
    to	compare	features	and	functionality	of	multiple	
                                                                                                                  Lunch & Learns
    best-in-class	solutions	and	apply	classroom	acquired	                               Throughout	the	event	vendors	will	provide	sponsored	
    knowledge	to	properly	evaluate	today’s	security	                                    lunches	where	attendees	can	interact	with	peers	and	
    technologies.		Vendors	arrive	prepared	to	interact	                                 receive	education	on	vendor	solutions.		Take	a	break	and	
    with	SANS’	technically	savvy	audience,	presenting	                                  get	up	to	date	on	security	technologies!		Space	is	limited;	
    technical	demonstrations	and	explanations.		It’s	                                   sign	up	at	the	registration	desk	on-site.
    about	having	your	questions	answered	and	making	
    informed	buying	decisions!                                                                                     Cocktail briefs
                                                                                        These	evening	events	bring	good	fun	and	great	conversa-
                                                                                        tion	from	hosting	vendors.		Join	the	party,	have	a	drink,	
          Check the most current listing                                                and	take	a	look	at	solutions	that	can	help	address	your	
             of exhibiting vendors at:                                                  organization’s	key	security	issues.		The	list	of	Cocktail	Briefs                                               will	be	posted	on-site	at	the	registration	desk.

Visit for more detailed course descriptions and additional information.                    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   9
                                                          Application Security and Ethical Hacking Roadmap
                                                             The	application	layer	is	the	fastest	growing	attack	vector	and	pen	testing/ethical	
                                                                  hacking	is	the	hottest	skill	requirement	for	career	growth.		SANS	has	a		
                                                                 full	curriculum	of	courses	to	address	offensive	and	defensive	skills	for	all		
                                                                experience	levels	for	both	application	and	network	security	professionals.			
                                                              This	roadmap	should	help	you	select	the	courses	best	for	you	and	your	team.
                                   BEGINNERS                                                                   BEGINNERS

                                          SEC419:		                   Unless you are a                           SEC401:		
                                  Web Application                     beginner in Web App              SANS Security Essentials
                                 Security Essentials                  Security, you are not               Bootcamp Style
                                                                      required to take SEC419.
                                          Page	10                                                                Page	36

                                                                          PEN TESTERS                                        INCIDEN T



                                                                                                                             HANDLE R S



               SEC522:		                                        SEC538:		
        Defending Web                         Web Application Penetration
         Applications                           Testing Fundamentals                               SEC560:		                      SEC504:		
               Page	11                                          Page	11                           Network                        Hacker
                                                                                                 Penetration                  Techniques,
                                                                SEC542:		                          Testing                      Exploits,
                                              Web Application Penetration                        and Ethical                  and Incident
                                                   Testing In-Depth                                Hacking                     Handling
                                                                Page	11                            Page	58                        Page	46

                                                   Hacking and Defending Wireless Networks
                                                                               Page	60

                NEW! Security 419: Web Application Security Essentials
           2-Day Course • 9:00am-5:00pm • Sun, Sept 28 – Mon, Sept 29, 2008 • 12 CPE Credits • Laptop Required • Instructor: Staff
 From	a	mere	26	Web	servers	operating	in	November	1992	growing	to	well	over	100	million	Web	sites	today,	we	have	come	a	
 long	way	in	Web	technology	over	a	short	period	of	time.		Today,	almost	every	organization	has	its	own	Web	site	for	conducting	
 business	transactions	or	other	critical	functions.		And	for	many	companies,	their	online	presence	has	become	a	major	revenue	
 generator.		As	everyone	jumps	on	the	bandwagon	to	do	business	on	the	Web,	many	problems	can	arise	which	are	directly	
 related	to	the	security	aspects	of	Web	applications.		The	adage	“where	there	is	money,	there	is	crime”	has	become	true	on	a	daily	
 basis	as	we	see	credit	cards	and	other	financial	data	compromised	through	Web	application	vulnerabilities.		And	that	is	not	even	
 the	full	extent	of	the	problem	because	Web-based	malware	and	worms	are	still	spreading	in	the	wild.
 Our	Web	application	security	workshop	is	a	two-day	hands-on,	action	packed	course	covering	the	common	vulnerabilities	that	are	
 leveraged	by	attackers,	the	basic	principles	of	securing	Web	applications,	and	basic	testing	techniques	for	detecting	the	vulner-
 abilities.		This	course	will	help	you	understand	the	mechanics	of	the	components	necessary	for	effective	Web	application	security	
 which	will	then	enable	you	to	properly	defend	your	organization’s	assets.		With	the	information	you	learn	in	this	class,	you	will	be	
 able	to	perform	basic	security	testing	on	Web	applications,	as	well	as	architect,	design,	and	develop	more	secure	Web	applications.
 This	course	is	particularly	well	suited	to	developers,	QA	analysts,	and	infrastructure	security	professionals	who	have	an	interest	in	
 exploring	the	Web	application	security	world.
 For beginners, this course is a prerequisite for SEC522, SEC538, SEC542, and SEC617.

10   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008              Please visit for more details on all courses.
                                                                                                           Get extra training
 NEW! Security 522: Defending Web Applications                                                   with these two-day
 3-Day Course • 9:00am-5:00pm • Tue, Sept 30 – Thu, Oct 2, 2008 • 18 CPE Credits • Laptop Required
                                     Instructor: Kevin Johnson                                           to four-day
Defending	Web	Applications	is	a	three-day	hands-on,	action-packed	course	covering	the	defensive	             courses
strategies	for	Web	applications	against	current	and	future	attacks.		This	course	will	help	you	understand	
the	fundamental	reasons	behind	the	Web	vulnerabilities	which	will	then	enable	you	to	properly	defend	
your	organization’s	Web	assets.		Mitigation	strategies	from	an	infrastructure,	architecture,	and	coding	
perspective	will	be	discussed	alongside	real-world	implementations	that	really	work.		The	key	security	problem	
areas	of	Web	applications	will	be	covered	as	well	as	new	technology	areas	such	as	AJAX	and	Web	Services.
To	maximize	the	benefit	for	a	wider	range	of	audiences,	the	discussions	in	this	course	will	be	programming	language	
agnostic.		Focus	will	be	maintained	on	security	strategies	rather	than	coding	level	implementation.		This	course	is	intended	
for	anyone	tasked	with	implementing	secure	Web	applications.
Defending	Web	Applications	is	particularly	well	suited	to	application	security	analysts,	developers,	application	architects,	pen	
testers	who	are	interested	in	recommending	proper	mitigations	to	security	issues,	and	infrastructure	security	professionals	who	
have	an	interest	in	better	defending	their	Web	applications.		

NEW! Security 538: Web Application Penetration Testing Fundamentals
    2-Day Course • 9:00am-5:00pm • Sun, Sept 28 – Mon, Sept 29, 2008 • 12 CPE Credits • Laptop Required • Instructor: Kevin Johnson
If	your	organization	has	a	Web	application	(who	doesn’t),	it	is	probably	under	attack	every	single	day.		We	regularly		
come	across	headlines	of	online	retailers’,	social	sites’,	and	banks’		Web	sites	being	compromised.		Successful		
attacks	against	Web	sites	using	application	level	flaws	are	very	common	nowadays.		Would	you	want	hackers	to		
be	the	first	to	test	the	security	posture	of	your	critical	Web	applications?		If	you	don’t,	security	testing	for	Web		
application	during	and	after	development	is	absolutely	necessary.		This	two-day	course	starts	off	with	a	discussion		
on	software	security	testing	and	how	it	fits	into	the	development	lifecycle.		We	will	discuss	testing	methodologies	that	are	
sensible	and	practical,	so	you	can	apply	these	testing	concepts	to	any	of	your	Web	applications.		Testing	Web	applications	
manually	can	be	very	time	consuming	and	not	very	practical.		To	ensure	you	feel	confident	about	testing	Web	applications,	we	
introduce	you	to	many	Web	application	security	testing	tools.		We	will	fill	your	arsenal	with	the	right	tools	to	get	the	job	done.
Throughout	the	two	days,	you	will	be	using	the	testing	concepts	learned	in	class	to	test	some	vulnerable	Web	applications.	The	
target	applications	are	as	realistic	as	possible.		The	labs	are	structured	so	the	novice	and	the	intermediate	students	can	both	enjoy	
the	learning	experience.		You	will	not	be	bored	during	the	labs.		This	class	gives	you	the	know-how	to	test	common	vulnerabilities	
in	Web	applications	so	you	can	hit	the	ground	running	when	it	comes	to	testing	Web	application’s	security	posture.	

  NEW! Security 542: Web Application Penetration Testing In-Depth
       4-Day Course • 9:00am-5:00pm • Fri, Oct 3 – Mon, Oct 6, 2008 • 24 CPE Credits • Laptop Required • Instructor: Kevin Johnson
Assess Your Web Apps in Depth
Web	applications	are	a	major	point	of	vulnerability	in	organizations	today.		Web	app	holes	have	resulted	in	the	theft	of	millions	
of	credit	card	numbers,	major	financial	and	reputational	damage	for	hundreds	of	enterprises,	and	even	the	compromise	of	
thousands	of	browsing	machines	that	visited	Web	sites	altered	by	attackers.		In	this	class,	we’ll	learn	the	art	of	exploiting	Web	
applications	so	we	can	find	flaws	in	our	enterprise’s	Web	apps	before	the	bad	guys	do.		Through	detailed	hands-on	exercises	
and	training	from	a	seasoned	professional,	we	will	learn	the	four-step	process	for	Web	application	penetration	testing.		You	will	
inject	SQL	into	back-end	databases,	learning	how	attackers	exfiltrate	sensitive	data.		We	will	utilize	Cross-Site	Scripting	attacks	
to	dominate	a	target	infrastructure	in	our	unique	hands-on	laboratory	environment.		And	we	will	explore	various	other	Web	app	
vulnerabilities	in	depth	with	tried-and-true	techniques	for	finding	them	using	a	structured	testing	regimen.		We	will	learn	the	
tools	and	methods	of	the	attacker	so	that	we	can	be	powerful	defenders.
On	day	one,	we	will	study	the	art	of	reconnaissance,	specifically	targeted	to	Web	applications.		On	day	two,	we	will	examine	
the	mapping	phase	when	we	interact	with	a	real	application	to	determine	its	internal	structure.		During	the	discovery	phase	
on	day	three,	we	will	use	the	information	gathered	in	the	first	two	days	to	uncover	weaknesses	and	plan	our	attack.		Finally	on	
day	four,	we	will	launch	the	attacks	compromising	the	Web	infrastructure	of	our	target.		Throughout	the	class,	we	will	learn	the	
context	behind	the	attacks	so	that	you	intuitively	understand	the	real-life	applications	of	our	exploitation.		In	the	end,	we	will	
be	able	to	assess	your	own	organization’s	Web	applications	to	find	some	of	the	most	common	and	damaging	Web	application	
vulnerabilities	today.		By	knowing	your	enemy,	you	can	defeat	your	enemy.		General	security	practitioners	as	well	as	Web	site	
designers,	architects,	and	developers	will	benefit	from	learning	the	practical	art	of	Web	application	penetration	testing.		

Please visit for more details on all courses.                       SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   11
                                                                         NEW! Security 536:
                                                                  Secure Coding for PCI Compliance
                                                               2-Day Course • 9:00am-5:00pm • Sun, Oct 5 – Mon, Oct 6, 2008
                                                               12 CPE Credits • Laptop Required • Instructor: David Hoelzer
                                     The	audit	procedure	documents	for	PCI	1.1	tell	the	auditor	that	he	should	look	for	evidence	
                                 that	Web	application	programmers	in	a	PCI	environment	have	had	“training	for	secure	coding	
                             techniques.”		However,	the	problem	that	many	businesses	are	facing	is,	what	is	that	and	where	can	I	
                          get	it?		This	course	packs	a	thorough	explanation	and	examination	of	the	OWASP	top	ten	issues,	which	
                       are	the	foundation	of	the	PCI	requirement,	into	a	two-day	course.
               Throughout	the	course	we	will	look	at	examples	of	the	types	of	flaws	that	secure	coding	protects	against,	
            examine	how	the	flaw	might	be	exploited,	and	then	focus	on	how	to	correct	that	code.		Coupled	with	the	
         lectures,	there	are	more	than	ten	hands-on	exercises	where	the	students	will	have	the	opportunity	to	test	out	their	
      new	skills	identifying	flaws	in	code,	fixing	code,	and	writing	secure	code.		All	of	the	exercises	are	available	in	Perl,	PHP,	
  C/C++,	Ruby,	and	Java.		This	will	allow	students	to	try	their	hand	at	any	of	the	major	Web	application	coding	languages	
 that	they	work	with	in	addition	to	some	of	the	supporting	languages	that	might	be	at	work	behind	the	scenes.		
 Prerequisites: Students should have at least several months of coding experience, preferably Web application coding
 experience. It is best if the student is familiar with one of the following languages: Perl, PHP, C, C++, Java, or Ruby.

                      NEW! Security 541: Secure Coding in Java/JEE:
                                         Developing Defensible Applications
         4-Day Course • 9:00am-5:00pm • Wed, Oct 1 – Sat, Oct 4, 2008 • 24 CPE Credits • Laptop Required • Instructor: Rohit Sethi
 Great	programmers	have	traditionally	distinguished	themselves	by	the	elegance,	effectiveness,	and	reliability	of	their	code.		
 That’s	still	true,	but	elegance,	effectiveness,	and	reliability	have	now	been	joined	by	security.		Major	financial	institutions	
 and	government	agencies	have	informed	their	internal	development	teams	and	outsourcers	that	programmers	must	
 demonstrate	mastery	of	secure	coding	skills	and	knowledge	through	reliable	third-party	testing,	or	lose	their	right	to	work	
 on	assignments	for	those	organizations.		More	software	buyers	are	joining	the	movement	every	week.
 The Only Course Covering the Key Elements of Secure Application Development in Java
 Such	buyer	and	management	demands	create	an	immediate	response	from	programmers	–	“Where	can	I	learn	what	is	
 meant	by	secure	coding?”		This	unique	SANS	course	allows	you	to	bone	up	on	the	skills	and	knowledge	being	measured	
 in	the	third-party	assessments	as	defined	in	the	Minimum	Skills	for	Secure	Coding	in	Java/Java	EE.		(You	can	find	the	
 Minimum	Skills	document	at		This	is	a	comprehensive	course	covering	a	huge	set	of	skills	and	
 knowledge	reflecting	two-thirds	of	the	material	in	the	Essential	Skills	document.		It’s	not	a	high	level	theory	course.		It’s	
 about	real	programming.	In	this	course	you	will	examine	actual	code,	work	with	real	tools,	build	applications,	and	gain	
 confidence	in	the	resources	you	need	for	the	journey	to	improving	the	security	of	Java	applications.

                          NEW! Security 545: PHP Secure Coding
     2-Day Course • 9:00am-5:00pm • Sun, Oct 5 – Mon, Oct 6, 2008 • 12 CPE Credits • Laptop Required • Instructor: Johannes Ullrich, PhD
 This	course	targets	PHP	programmers	interested	in	learning	more	about	how	to	code	in	PHP	securely.		PHP	as	a	program-
 ming	language	has	a	very	easy	learning	curve.		You	can	get	started	in	minutes	writing	complex	Web	sites.		Sadly,	this	ease	
 of	use	and	code-as-you-go	approach	frequently	leads	to	insecure	code.		PHP	provides	a	lot	of	freedom	to	do	things	wrong.		
 Coding	securely	in	PHP	requires	some	extra	thought	and	knowledge,	which	we	will	provide	in	this	class.		Coding	in	PHP	
 without	this	knowledge	can	lead	to	problems,	as	insecure	coding	means	exposing	your	data	and	your	customers.	
 In	our	work	at	the	SANS	Internet	Storm	Center,	not	a	day	goes	by	that	we	do	not	receive	a	note	about	yet	another	Web	site	
 having	been	compromised	and	customer	data	stolen.		How	would	you	feel	if	an	exploit	was	placed	on	your	Web	site	and	
 you	then	had	to	tell	your	customers	that	they	may	have	been	infected	by	malware	simply	because	they	accessed	your	
 site?		But	we	do	not	just	work	the	exploits.,	a	big	part	of	the	Internet	Storm	Center,	was	written	entirely	in	PHP,	
 and	the	code	has	been	available	for	public	inspection.		Lessons	learned	from	our	own	mistakes	have	been	incorporated	
 into	this	course.		PHP	is	not	insecure	in	itself;	however,	its	ease	of	use	does	allow	you	to	get	started	a	bit	too	quickly	and	
 carelessly.		SEC545	covers	all	aspects	of	what	is	needed	to	code	securely.		We	will	not	spend	a	lot	of	time	explaining	how	to	
 code	in	PHP.		Instead,	we	will	dive	right	into	the	more	advanced	concepts	starting	with	additional	PHP	modules,	like	Suho-
 sin,	and	how	they	can	be	used	to	harden	your	PHP	application.		We	will	not	just	tell	you	that	input	validation	is	important;	
 instead,	we	will	show	you	real	code	on	how	to	do	it	right.		Hands-on	exercises	are	used	to	reinforce	what	you	have	learned.	

12   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008         Please visit for more details on all courses.
                                       NEW! Security 610: Reverse-Engineering Malware:

                                                      Malware Analysis Tools and Techniques

                        u rs
                                   4-Day Course • 9:00am-5:00pm • Mon, Sept 29 – Thu, Oct 2, 2008 • 24 CPE Credits • Laptop Required

                                                                    Instructor: Lenny Zeltser

                o         By	covering	both	behavioral	and	code	analysis	approaches,	this	
                                                                                                      Reverse-Engineering Malware:
                      unique	course	provides	a	rounded	approach	to	reverse-engineering.		               Malware Analysis Tools and

                   As	a	result,	the	course	makes	malware	analysis	accessible	even	to	indi-               Techniques offers the full

                viduals	with	a	limited	exposure	to	programming	concepts.		When	perform-                 course with option to add a

             ing	the	analysis,	you	will	study	the	supplied	specimens’	behavioral	patterns,	and	            certification attempt.

          examine	key	portions	of	their	assembly	code.		Hands-on	workshop	exercises	are	an	                           SEC601:
       essential	aspect	of	this	course	and	allow	you	to	apply	reverse-engineering	techniques	              Reverse-Engineering Malware:
    by	examining	malicious	code	in	a	carefully-controlled	environment.		                                     The Essentials of Malware
  Days 1 & 2: Security 601: REM: The Essentials of Malware Analysis                                        Analysis is days 1 & 2 of SEC610.
  The	first	half	of	the	SEC610	course	covers	the	key	aspects	of	reverse-engineering	malicious	           SEC602:
  code.		The	instructor	explains	how	to	set	up	an	inexpensive	and	flexible	laboratory	for	     Reverse-Engineering Malware:
  understanding	inner-workings	of	malware	and	demonstrates	the	process	by	exploring	
                                                                                               Additional Tools and Techniques
                                                                                                   is days 3 & 4 of SEC610.
  capabilities	of	real-world	specimens.		You	will	learn	to	examine	the	program’s	behavioral	
  patterns	and	assembly	code	and	study	techniques	for	bypassing	common	code	obfuscation	
  mechanisms.		The	course	also	takes	a	look	at	analyzing	browser-based	malware.
  Days 3 & 4: Security 602: REM: Additional Tools and Techniques
  The	second	half	of	the	SEC610	course	begins	by	reviewing	key	assembly	language	concepts.		
  You	will	focus	on	static	code	analysis,	learning	to	examine	malicious	code	to	understand	its	
  flow	by	identifying	key	logic	structures	and	patterns,	looking	at	examples	of	bots,	rootkits,	
  key	loggers,	and	so	on.		You	will	understand	how	to	work	with	PE	headers	and	handle	DLL	
                                                                                                              Get GREM Certified
                                                                                                                Reinforce what you learned in
  interactions.		Next,	you	will	develop	skills	for	analyzing	self-defending	malware	through	un-               training and prove your skills and
  packing	techniques	and	bypassing	code-protection	mechanisms.		Finally,	you	will	discover	                 knowledge with a GREM certification.
  how	to	bypass	obfuscation	techniques	employed	by	browser-based	malicious	scripts.		                      

      Security 334: SANS Training for the CompTIA Security+ Certification
      4-Day Course • 9:00am-5:00pm • Mon, Sept 29 – Thu, Oct 2, 2008 • 24 CPE Credits • Laptop Required • Instructor: Stephen Sims
  Prepare	for	the	CompTIA	Security+	Certification	exam	with	SANS’	unparalleled	training.		In	this	course	you	will	learn	the	
  language	and	underlying	theory	of	communication	security,	infrastructure	security,	cryptography,	operational	security,	and	
  general	security	concepts.		This	course	is	only	taught	by	the	best	security	instructors	in	the	industry	and	provides	up-to-the-
  minute	knowledge	you	can	immediately	put	into	practice.
  SPECIAL NOTE: This course is endorsed by the Committee on National Security Systems (CNSS) NSTISSI 4013 Standard for
  Systems Administrators in Information Systems Security (INFOSEC).

                          NEW! Security 609: Security Research
       2-Day Course • 9:00am-5:00pm • Sun, Oct 5 – Mon, Oct 6, 2008 • 12 CPE Credits • Laptop Required • Instructor: Stephen Sims
  Information	security	has	more	visibility	now	than	ever	before.		The	question	is,	do	you	have	the	desire	to	stand	out	and	be	
  in	the	top	one	percent	of	security	professionals?		Do	you	want	to	stop	relying	on	others	to	find	your	application’s	vulner-
  abilities	and	start	writing	your	own	Proof	of	Concept	(POC)	code?		In	this	course	we	bridge	the	gaps	and	take	a	step-by-
  step	look	at	Linux	and	Windows	operating	systems	and	how	exploitation	truly	works	under	the	hood.		This	two-day	course	
  rapidly	progresses	through	exploitation	techniques	used	to	attack	stacks,	heaps,	and	other	memory	segments	on	Linux	and	
  Windows.		This	is	a	fast-paced	course	that	provides	you	with	the	skills	to	hit	the	ground	running	with	vulnerability	research.		
  You	will	use	the	knowledge	gained	throughout	the	course	to	write	custom	exploits	to	gain	privileged	system	access.		Pre-
  compiled	exploits	won’t	help	you	here!	
  PREREqUISITES: This is a fast-paced, advanced course that requires a strong desire to learn custom exploitation techniques
  and advanced penetration testing. Courses such as SEC504: Hacker Techniques, Exploits, and Incident Handling, SEC560:
  Network Penetration Testing and Ethical Hacking, and SEC610: Reverse-Engineering Malware are recommended prior to or
  as a companion to taking this course. Experience with programming in any language is recommended but not required. The
  basics of programming will not be covered in this course. Most of the vulnerable programs and exploits are written in C, C++,
  Perl, or Python. Familiarity with Linux and Windows is highly recommended.

Please visit for more details on all courses.                     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008      13
                                                                  NEW! Security 540: voIP Security

                                                     2-Day Course • 9:00am-5:00pm & Bootcamp Hours: 5:15pm-7:00pm • Sun, Oct 5 – Mon, Oct 6, 2008

                                                                   16 CPE Credits • Laptop Required • Instructor: Dr. Eric Cole, PhD

                                  VoIP	(Voice	Over	IP)	has	become	a	widely	adopted	technology,	and	it’s	here	to	stay.		VoIP	protocols	
                               and	technologies,	and	especially	VoIP	security,	are	among	the	most	complex	fields	in	IT	today.		This	

                           course	offers	the	in-depth	knowledge	required	to	understand	how	VoIP	technologies	work	at	the	

                        protocol	level	(mainly	focusing	on	SIP	and	RTP).		Students	will	learn	the	security	risks	of	VoIP	networks	for	

                   service	providers,	carriers,	and	enterprises	through	the	detailed	analysis	of	infrastructure,	signaling,	and	media	

                attacks,	and	how	to	mitigate	these	risks.		By	helping	you	understand	how	VoIP	protocols	work	and	giving	you	

             hands-on	experience	with	attack	mechanisms	that	impact	your	VoIP	environment,	this	challenging	course	helps	you	
          design,	build,	and	assess	a	secure	VoIP	architecture.		We	will	cover	various	VoIP	attacks	ranging	from	VoIP	signaling	and	
       media	eavesdropping,	caller	ID	impersonation,	and	VoIP	authentication	cracking	to	man-in-the-middle	call	manipulation	and	
     media	injection.		We	will	then	examine	multiple	cutting-edge	solutions,	security	devices,	standards,	and	countermeasures	that	
     can	be	used	to	mitigate	these	vulnerabilities	and	threats,	detailing	the	strengths	and	weaknesses	of	each,	while	guiding	you	
     through	the	best	tools	for	securing	your	VoIP	network.
     As	part	of	the	course,	you	will	receive	a	software	VoIP	PBX	based	on	Trixbox	(Asterisk),	an	audio	headset,	and	several	VoIP	
     analysis	and	attack	tools.		This	toolkit	will	help	you	build	your	own	VoIP	infrastructure,	gain	hands-on	experience,	and	learn	the	
     attack	tools	used	to	exploit	VoIP	vulnerabilities	from	the	attacker	perspective.		You’ll	learn	to	understand	the	insight	gained	
     from	VoIP	penetration	testing,	which	you	will	be	able	to	apply	to	protect	your	VoIP	infrastructure	from	attacks.		The	extensive	
     hands-on	labs,	plus	the	instruction	from	industry	VoIP	security	experts,	provide	you	with	the	skills	needed	to	architect	and	
     evaluate	the	risks	threatening	your	VoIP	infrastructure.

     NOTE: The current SANS VoIP Security two-day course is very intense, full of content, and time demanding. Expect to stay in class
     during the evenings, for up to two extra hours each day.

     Students should have a working knowledge of TCP/IP networks and protocols, general security attacks and defenses, and VoIP
     concepts, with experience in the design or deployment of network and security technologies.

                                    Security 517: Cutting-Edge Hacking Techniques
                        1-Day Course • 9:00am-5:00pm • Sun, Sept 28, 2008 • 6 CPE Credits • Laptop Required • Instructor: Staff
     Computer	attackers	continue	their	relentless	march	in	improving	their	tools	and	techniques.		The	simple	scanning	
     of	yesteryear	has	given	way	to	powerful	suites	of	bundled,	automated	scanning	and	exploitation	tools.		Straight-	
     forward	backdoors	have	evolved	into	powerful	kernel-mode	RootKits,	manipulating	the	very	hearts	of	our	
     systems.		Covert	channels	exfiltrate	sensitive	information	and	hash	collision	attacks	are	rapidly	advancing	with	
     your	systems	in	the	cross	hairs.		In	all	of	these	trends,	thorough	reconnaissance	and	deep	subterfuge	dominate	
     the	attackers’	game.		
     If	we	don’t	keep	up	with	their	latest	methods,	our	overall	defenses	and	incident	response	practices	will	grow	rusty.		To	help	fight	
     back,	this	action-packed	one-day	course	describes	these	latest	attack	trends	and	what	you	can	do	to	thwart	the	bad	guys.		In	
     addition	to	detailed	descriptions	of	how	the	attacks	function,	you’ll	get	hands-on	experience	with	the	tools	and	their	defenses.		
     This	fast-paced,	intermediate-to-advanced	course	is	ideal	for	students	who	have	taken	a	multi-day	hacking	course	in	the	past	
     (offered	by	other	training	organizations	or	SANS’	own	504	or	560	courses)	and	are	looking	to	update	their	understanding	and	
     skills.		Also,	if	you	are	preparing	for	that	final	push	on	your	GCIH	certification,	this	session	can	help	you	brush	up	and	refresh	your	
     knowledge	of	computer	attacks	before	taking	the	exam.	

     Who Should Attend This Course
     •	Managers	and	professionals	who	have	taken	a	multi-day	hacking	course	seeking	to	update	their	understanding	and	skills
     •	Professionals	preparing	for	the	GCIH	or	GPEN	certification

14     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008         Please visit for more details on all courses.
    Security 526: Next Evolution in Digital Forensics
                                                                                                                Get extra training
         1-Day Course • 9:00am-5:00pm • Sun, Oct 5, 2008 • 6 CPE Credits • Laptop Required
                                                                                                                   with these two-day
                                        Instructor: Rob Lee                                                                to one-day
This	advanced	course	is	perfect	for	the	diligent	student	familiar	with	core	forensic		                                         courses
methodology	and	techniques.	If	you	understand	forensic	filesystem	fundamentals,		
then	this	course	is	for	you.		It	moves	quickly	from	covering	memory	forensics	to		
recovering	and	discovering	deleted	partitions	from	hard	drives.		This	course	focuses	on		
innovative	forensic	techniques	and	methodologies	so	the	seasoned	practitioner	can	keep	his	skills	sharp		
and	up-to-date	with	the	latest	research	areas	in	both	live	and	static	based	disk	forensics.		
You	will	receive:
•	Forensic	analysis	workstation	VMware	machine	equipped	to	investigate	forensic	data
•	Course	DVD	loaded	with	case	examples,	tools,	and	documentation
PREREqUISITES: This advanced course is perfect for the diligent student conversant with file system forensic techniques. If you are
just beginning in digital forensics, this course is not appropriate for you as the basics of digital forensics will not be covered.

 Security 531: Windows Command-Line Kung Fu In-Depth for Info Sec Pros
              1-Day Course • 9:00am-5:00pm • Sun, Sept 28, 2008 • 6 CPE Credits • Laptop Required • Instructor: Ed Skoudis
To	maximize	their	value	in	handling	the	latest	generation	of	spyware	and	conducting	detailed	investigations,		
security	personnel	should	wield	some	Windows	command-line	Kung	Fu.		Many	people	do	not	realize	the	power		
of	the	Windows	command-line	and	have	confined	themselves	inside	the	prison	of	the	Windows	GUI.		But,	some-	
times,	in	the	face	of	extremely	nasty	malware	that	disables	GUI-based	tools,	security	personnel	are	forced	to	the		
command	line	to	analyze	an	infestation.		Don’t	fret!	In	this	fun	and	engaging	session	we’ll	discuss	in	depth	one	of		
the	most	powerful	command-line	tools	built	into	Windows,	wmic,	and	how	it	can	greatly	improve	the	capabilities	of	security	
personnel,	incident	handlers,	and	even	auditors.		We’ll	also	look	at	other	really	powerful	built-in	commands	to	monitor	systems	
and	analyze	them	for	indications	of	compromise.		
Based	on	one	of	SANS	most	popular	Webcasts,	this	session	expands	the	discussion	into	a	full	day	of	hands-on	depth	with	fun	
labs	and	examples.		For	example,	do	you	know	how	to	kill	a	bunch	of	processes	based	on	their	name	across	the	network	using	
only	built-in	Windows	tools?		How	about	finding	out	whether	a	given	patch	is	installed,	the	date	it	was	installed,	and	the	user	
who	installed	it,	again	remotely	and	using	only	built-in	features?		What	if	your	GUI	is	shot	by	a	rootkit	and	you	want	to	see	which	
services	are	associated	with	each	process	and	which	DLLs	those	processes	have	loaded?		How	can	you	run	a	single	command	that	
will	show	you	with	one-second	accuracy	when	a	piece	of	malware	receives	a	connection	from	a	bad	guy	on	the	network,	along	
with	the	ProcessID	of	the	malware	and	IP	address	of	the	bad	guy?		After	this	session	you	will	be	able	to	do	all	of	this	and	more...	
much	more.		For	this	session,	have	a	Windows	XP	Pro	or	Windows	2003	box	handy	(WinXP	Home	won’t	do!),	grab	a	soda,	pop	up	a	
cmd.exe,	and	get	ready	for	some	serious	Kung	Fu.	

                               NEW! Security 546: IPv6 Essentials
                    1-Day Course • 9:00am-5:00pm • Sun, Sept 28, 2008 • 6 CPE Credits • Laptop Required • Instructor: Staff
Many	organizations	have	established	mandates	to	implement	IPv6	over	the	next	few	years.		In	response,	vendors	have	begun	to	
include	IPv6	support	in	recent	products.		Operating	systems	now	enable	IPv6	by	default,	and	many	routers	will	route	IPv6	traffic.		
However,	many	security	professionals	are	still	unaware	of	the	implications	this	has	on	their	networks.		
IPv6	is	currently	being	implemented	at	a	rapid	pace	in	Asia	in	response	to	the	exhaustion	of	IPv4	address	space,	which	is	most	
urgently	felt	in	rapidly	growing	networks	in	China	and	India.		Even	if	you	do	not	feel	the	same	urgency	of	IP	address	exhaustion,	
you	may	have	to	connect	to	these	IPv6	resources	as	they	become	more	and	more	important	to	global	commerce.
This	course	will	introduce	network	administrators	and	security	professionals	to	the	basic	concepts	of	IPv6.		While	it	is	an	
introduction	to	IPv6,	it	is	not	an	introduction	to	networking	concepts.	You	should	understand	and	be	aware	of	the	basic	
concepts	of	IPv4	and	networking	in	general.		It	is	an	ideal	refresher	if	you	took	SEC503	Intrusion	Detection	In-Depth.		However,	
you	do	not	need	to	know	IPv4	in	the	full	detail	in	which	it	is	presented	in	SEC503.		The	networking	and	IPv4	principles	taught	in	
SEC401:	SANS	Security	Essentials	Bootcamp	Style	should	prepare	you	for	this	course.	

Please visit for more details on all courses.                            SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   15
                                                                        Security 553: Up and Running with the

                                                                               Metasploit Framework

                                                        1-Day Course • 9:00am-5:00pm • Sun, Sept 28, 2008 • 6 CPE Credits • Laptop Required

                                                                                       Instructor: Staff
                              Testing	your	network	for	new	vulnerabilities	before	the	bad	guys	do	should	be	a		

                           top	priority	for	any	organization.		Unfortunately,	developing	tools	and	code	to	test	for		
         a  se

                       vulnerabilities	in	existing	commercial	and	in-house	software	can	be	a	tiring	process.		The		

                    Metasploit	Project™	was	designed	to	help	fulfill	this	need.		Using	various	components	of	The		

                 Metasploit	Project™,	you	can	rapidly	develop	tools	to	not	only	test	for,	but	verify	software	vulnerabilities		
              that	may	lurk	on	your	network.		
         Attendees	will	become	familiar	with	the	various	components	of	the	Metasploit	Project™,	how	to	use	those	components	
     to	test	and	verify	their	networks,	methods	for	detecting	Metasploit,	and	how	to	develop	custom	exploit	modules.		The	course	
     concludes	with	a	hands-on	section	where	the	knowledge	learned	can	be	tested	against	virtual	machines.		
     This	course	is	well	suited	for	penetration	testers	and	ethical	hackers.		In	addition,	systems	administrators,	incident	responders,	
     and	systems	auditors	can	benefit	from	this	course	by	learning	how	to	quickly	and	efficiently	develop	tools	to	test	and	verify	
     software	vulnerabilities.		Attendees	are	expected	to	have	a	basic	understanding	of	software	exploits	and	hacker	techniques.
     It is imperative that you get written permission from the proper authority in your organization before using these tools and
     techniques on your company’s system as well as advise your network and computer operations teams of your testing.

                      NEW! Security 556: Comprehensive Packet Analysis
                   1-Day Course • 9:00am-5:00pm • Sun, Sept 28, 2008 • 6 CPE Credits • Laptop Required • Instructor: Jonathan Ham
     Knowing	how	to	decode	network	traffic	is	a	skill	requirement	for	any	serious	network	or	information	security	administrator.		
     Being	able	to	decode	the	bits	and	bytes	that	represent	mission-critical	networks	will	give	you	the	skills	to	identify	malicious	
     activity,	troubleshoot	network	failures,	and	analyze	other	desirable	or	undesirable	network	events.		
     This	class	will	give	you	the	skills	necessary	to	decode	network	traffic	with	open-source	tools	available	for	Unix	and	Windows	
     systems.		Students	will	learn	advance	pcap	packet	filtering	methods	to	decode	and	manipulate	network	traffic	using	tcpdump	
     and	use	Wireshark	to	extract	files	(pictures,	documents,	executable,	etc.)	from	datastream	for	malware	recovery,	incident	
     response,	and	forensics	analysis.		You’ll	be	able	to	use	these	new	skills	to	analyze	current	or	future	network	protocols	and	gain	a	
     better	understanding	of	your	network	traffic.		The	tools	covered	in	this	class	are	Windump/TCPdump,	Wireshark,	Mergecap,	Unix	
     file	command,	and	a	Hex	Editor.
     Students are expected to be generally familiar with TCP/IP at the theoretical level. If you are not familiar with TCP/IP, we
     recommend you read the following documents before attending: or

                        NEW! Security 304: Software Security Awareness
                    1/2-Day Course • 9:00am-12:15pm • Sun, Sept 28, 2008 • 3 CPE Credits • Laptop NOT Required • Instructor: Staff
     This	awareness	course	discusses	design	and	implementation	of	software	applications	to	reduce	the	risk	from	hackers	and	at-
     tacks.	The	concept	is	to	engineer	software	so	that	it	continues	to	function	correctly	under	malicious	attack.	This	course	intro-
     duces	defensive	coding	and	tips	to	avoid	creating	problems	or	vulnerabilities.	We	also	examine	the	most	common	flaws	of	
     software	design	and	implementation,	and	you	will	learn	about	specific	practices	to	avoid	those	flaws.		
     This	is	an	introductory	course,	suitable	for	managers	as	well	as	developers	to	get	them	thinking	about	baking	security	into	
     software.	The	next	courses	in	this	track	would	be	SANS	Web	application	security,	and	then	language	specific	developer	security	
     training	or	tester	specific	courses.

     A Sampling of Topics
     •	Vulnerability	Cycle	–	Discovery,	Exploit,	and	Patching
     •	Principles	of	Security	Applicable	to	All

16     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008          Please visit for more details on all courses.
                                                                                                           Get extra training
      NEW! Security 427: Browser Forensics                                                          with these half-day
      1/2-Day Course • 1:30pm-4:30pm • Sun, Sept 28, 2008 • 3 CPE Credits • Laptop Required
                                         Instructor: Staff                                                  to two-day
Why	would	you	want	to	perform	a	forensic	analysis	of	a	computer	system?		Most	of	the	time,	it’s	in	             courses
response	to	an	incident	-	e.g.,	something	has	gone	wrong,	and	that	something	may	have	been	actively	
perpetrated	by	a	person	(rather	than	a	simple	hardware	failure	or	software	error).		Oftentimes,	especially	
in	Web	browser	forensics,	the	evidence	you	gather	may	not	even	be	directly	related	to	the	incident.		For	
example,	if	a	person	is	terminated	for	over-socializing	during	work	hours	and	management	suspects	that	the	
now-ex-employee	may	file	a	wrongful	termination	suit,	you	may	be	called	in	to	see	if	this	individual	made	use	of	
any	of	the	common	social-networking	sites	(MySpace,	Facebook,	Friendster)	to	bolster	management’s	assertions.
Alternatively,	your	forensic	review	may	be	directly	related	to	an	incident.		If	your	company’s	main	office	network	was	
nearly	taken	down	by	a	virus	infection	or	zero-day	exploit	that	you	barely	managed	to	beat	back	(via	disabling	the	external	
routers	and	manually	updating/cleaning	each	workstation),	you	might	want	to	find	where	the	problem	originated	so	you	can	
prevent	it	from	happening	again.		This	would	be	especially	true	if	the	problem	was	an	employee	surfing	to	a	non-work	site	and	
downloading	unauthorized	code.		And	in	the	real	nail-biting	scenario,	all	your	protective	controls	have	failed,	and	you	need	to	
know	which	employee	uploaded	the	latest	design	specs	to	your	biggest	competitor’s	Web	site,	if	for	no	other	reason	than	to	
prove	the	competitor’s	malfeasance	in	a	lawsuit.
If	this	sounds	like	something	you	will	or	may	have	to	do	in	your	job,	be	a	part	of	this	fast-paced	skill	sharpening	short	course	
and	learn	the	latest	greatest	techniques	for	conducting	solid	browser	forensics	on	any	system.	

                       Security 550: Power Search with Google
       1/2-Day Course • 9:00am-12:15pm • Sun, Sept 28, 2008 • 3 CPE Credits • Laptop Required • Instructor: Staff
This	course	is	meant	as	a	detailed	introduction	to	the	security	assessment	methodology	coined	“Google		
hacking.”		It	will	introduce	you	to	some	common	techniques	used	by	Google	hackers,	demonstrate	a	number	of		
typical	security	exposures	that	Google	uncovers,	and	will	set	you	on	the	path	of	discovery	if	Google	hacking	is	to		
be	part	of	your	security	evaluation	toolkit.
Google	hacking	is	a	young	and	rapidly	growing	field	of	research.		The	implications	of	having	our	public	sites	crawled	by	search	
engines	for	security	relevant	data	were	largely	unknown	until	recently.		As	more	and	more	of	our	business	processes,	intellectual	
property,	and	research	and	development	move	to	a	Web	environment,	it	will	become	even	more	important	for	security	
practitioners	to	have	the	skills	required	to	evaluate	their	sites	from	the	perspective	of	a	malicious	search	engine	user.		
Along	with	a	study	of	proven	Google	hacking	techniques,	there	will	be	a	description	of	some	common	technical	defense	
measures	used	to	throttle	what	data	our	site	gives	away	and	hopefully	stop	the	most	curious	and	persistent	of	Google	hackers.	
At	the	end	of	the	course,	you	should	have	a	solid	toolkit	of	techniques	and	tips	that	you	can	take	back	to	your	organization	and	
use	to	uncover	unintended	information	disclosures,	close	common	holes	in	Web	servers	and	Internet	connected	devices,	and	
clean	up	the	exposures	you	discover.
Students are expected to be familiar with use of search engines and particularly with some of the advanced operations that
Google offers. Students would also benefit from a basic familiarity with Web servers, the HTTP protocol, and HTML.

                                               Audit 521: Meeting the Minimum:
                                         PCI/DSS 1.1: Becoming and Staying Compliant
                                          2-Day Course • 9:00am-5:00pm • Sun, Oct 5 – Mon, Oct 6, 2008 • 12 CPE Credits
                                                          Laptop Required • Instructor: James Tarala
             The payment card industry has been working over the past several years to formalize a standard for
         security practices that are required for organizations who process or handle payment card transactions.
       The fruit of this labor is the Payment Card Industry Data Security Standard (currently at version 1.1).
     This standard, which started life as the Visa Digital Dozen, is a set of focused comprehensive controls for managing the
     risks surrounding payment card transactions, particularly over the Internet. Of course, compliance validation is one of
     the requirements. This course was created to allow organizations to exercise due care by performing internal validations
     through a repeatable, objective process. While the course will cover all of the requirements of the standard, the primary
     focus is on the technical controls and how they can be measured. Every student will leave the class with a toolkit that can
     be used to validate any PCI/DSS environment technically and the knowledge of how to use it.

  Please visit for more details on all courses.                       SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   17
                                                                 Management 421:

                                                  SANS Leadership and Management Competencies

                             u  rs
                                                              1-Day Course • 9:00am-5:00pm • Sun, Sept 28, 2008 • 6 CPE Credits
                                                                   Laptop Recommended • Instructor: Stephen Northcutt
                   o  rt
                            Leadership	is	a	capability	that	must	be	learned	and	developed	to	better	ensure		

                        organizational	success.		The	more	techniques	we	learn,	the	better	our	leadership	capa-	

                    bility	becomes.		It	is	brought	primarily	through	selfless	devotion	to	the	organization	and	staff,		

                tireless	effort	in	setting	the	example,	and	the	vision	to	see	and	effectively	use	available	resources	toward	

             the	end	goal.		Leaders	and	followers	influence	each	other	toward	the	goal,	identified	through	a	two-way	street	

          where	all	parties	perform	their	function	to	reach	the	overall	objective.		Leadership	entails	the	ability	to	persuade	
       team	members	to	accomplish	their	objectives	while	removing	obstacles	and	resistance	and	facilitates	the	well-being	
   of	the	team	in	support	of	the	organization’s	mission.		Grooming	effective	leaders	is	critical	to	all	types	of	organizations,	as	
 the	most	effective	teams	are	cohesive	teams	that	work	together	toward	common	goals	with	camaraderie	and	can-do	spirit!
 Our	focus	is	purely	leadership-centric;	we	are	not	security-centric	or	technology-centric	with	this	training	opportunity.		We	
 help	an	individual	develop	leadership	skills	that	apply	to	commercial	business,	non-profit,	not-for-profit,	or	other	organiza-
 tions.		This	course	is	designed	to	develop	existing	and	new	supervisors	and	managers	who	aspire	to	go	beyond	being	the	
 boss.		It	also	builds	leadership	skills	to	enhance	their	organizational	climate	through	team-building	to	enhance	the	organi-
 zational	mission	through	growth	in	productivity,	workplace	attitude/satisfaction,	and	staff	and	customer	relationships.

         NEW! Management 431: Secure Web Services for Managers
                2-Day Course • 9:00am-5:00pm • Sun, Oct 5 – Mon, Oct 6 • 12 CPE Credits • Laptop NOT Required • Instructor: Staff
 The	National	Institute	of	Standards	and	Technology	special	publication	800-95	Secure	Web	Services	is	one	of	the	best	
 publications	they	have	ever	produced.		It	helps	us	understand	the	growth	in	both	numbers	and	importance	of	Web	
 applications	and	how	vulnerable	they	are.		As	they	say	themselves,		“The	advance	of	Web	services	technologies	promises	to	
 have	far-reaching	effects	on	the	Internet	and	enterprise	networks.		Web	services	based	on	the	eXtensible	Markup	Language	
 (XML),	SOAP,	and	related	open	standards,	and	deployed	in	Service	Oriented	Architectures	(SOA)	allow	data	and	applications	
 to	interact	without	human	intervention	through	dynamic	and	ad	hoc	connections.		Web	services	technology	can	be	
 implemented	in	a	wide	variety	of	architectures,	can	co-exist	with	other	technologies	and	software	design	approaches,	and	
 can	be	adopted	in	an	evolutionary	manner	without	requiring	major	transformations	to	legacy	applications	and	databases.”
 SP	800-95	is	a	breakthrough	document	and	gives	solid	architectural	guidance,	but	the	content	is	beyond	the	reach	of	
 most	managers.		When	we	read	terms	like	SOA,	SOAP,	TLS,	XML,	XACML,	UDDI,	and	WSDL,	our	eyes	glaze	over	even	though	
 we	know	this	is	really	important	material.		SANS	wants	to	help.		By	the	end	of	the	class,	you	will	understand	secure	Web	
 services	and	will	be	ready	to	ask	your	Web	team	the	right	questions	and	give	the	right	guidance.		There	are	no	prerequisites,	
 although	some	basic	IT	and	IT	security	previous	knowledge	is	assumed.		For	students	who	do	not	have	an	IT	background,	
 we	highly	recommend	that	they	look	over	assigned	reading	before	attending	this	class.

 NEW! Management 432: Information Security for Business Executives
               1 1/2-Day Course • 9:00am-5:00pm • Sun, Oct 5 – Mon, Oct 6 • 9 CPE Credits • Laptop NOT Required • Instructor: Staff
 Where	does	a	CEO	or	vice	president	go	to	learn	the	fundamentals	of	information	security?		The	SANS	Institute,	well	known	
 as	a	premier	source	for	top	quality	technical	instruction,	information	security	thought	leadership,	and	research,	now	offers	
 this	purpose-built	course	for	senior	leaders.		One	of	the	most	common	remarks	from	students	of	Management	512:	SANS	
 Security	Leadership	Essentials	is,	“Is	there	an	abbreviated	version	of	this	course	I	can	send	my	boss	to?”		In	designing	this	
 course	we	looked	closely	at	the	course	evaluations	from	the	most	senior	executives	that	took	Management	512,	industry	
 studies,	and	surveys,	and	we	polled	security	thought	leaders.		The	structure	of	the	course	is	to	present	the	information	and	
 provide	the	executive	participant	with	additional	reading.		The	additional	reading	is	sent	in	advance	as	well	as	included	in	
 the	workbooks.
 When	SANS	designed	the	Information	Security	for	Business	Executives	course,	we	chose	to	emulate	the	format	utilized	by	
 many	executive	MBA	programs.		While	core	source	material	is	derived	from	our	highly	regarded	SANS	Security	Leadership	
 Essentials	program,	we	decided	to	focus	this	course	on	the	big	picture	of	securing	the	enterprise.		Ultimately,	the	goal	
 of	this	program	is	to	ensure	that	executives	charged	with	the	responsibility	for	information	security	can	make	informed	
 choices	and	decisions	that	will	improve	their	organization’s	security.

18   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008         Please visit for more details on all courses.
      Department of Defense Information                                                   Mobile Phone Forensics Survival Course
         Assurance Certification and                                                       Five-Day Course • Mon, Sept 29 – Fri, Oct 3, 2008 • Instructor: Staff

        Accreditation Process (DIACAP)                                                     Presented by          FORWARD DISCOvERY
 Five-Day Course • Mon, Sept 29 – Fri, Oct 3, 2008 • Instructor: John Myers
                                                                                    In	this	course	you	will	work	in	a	team	atmosphere	with	
Presented by                                                                        extensive	hands-on	training	and	walk	away	with	the	skills	
                                                                                    necessary	to	properly	seize,	acquire,	analyze	and	document	
                                                                                    the	examination	of	cellular	phone	and	mobile	devices.
The	DIACAP	Training	is	an	intensive	team-building	
awareness	workshop	presenting	principles	for	                                       The	Mobile	Phone	Forensics	course	covers	the	process	of	
accomplishing	the	C&A	process	for	DoD	information	                                  conducting	forensic	examinations	of	cellular	phones	and	
systems	initiating	a	DIACAP	accreditation	effort.		We	                              mobile	devices	from	beginning	to	end	in	a	manner	that	is	
provide	examples,	exercises	in	completing	C&A	package	                              both	practical	and	reasonable.	Additionally,	the	training	and	
documents,	and	a	comprehensive	Resource	Kit	for	online	                             material	is	designed	to	allow	an	examiner	to	immediately	
referencing	of	key	resources.		This	training	presents	the	                          begin	conducting	forensic	examinations	upon	their	return	
most	up-to-date	concepts,	tools,	and	examples.		You	will	                           to	the	office.	No	time	is	wasted	on	theory,	processes	or	tools	
learn	the	concepts	and	theories	required	to	develop	                                that	do	not	have	a	practical	application.
and	complete	your	DIACAP	Package	on	the	Information	                                Forward	Discovery	instructors	have	the	unparalleled	experi-
System	(IS)	under	your	control.		You	will	understand	that	                          ence	necessary	to	help	you	succeed.	Our	instructors	hold	
the	DIACAP	Package	is	the	certification	package	that	will	                          multiple	certifications	including	the	IACIS	Certified	Forensic	
define	the	direction	that	will	be	followed	during	the	entire	                       Computer	Examiner	(CFCE).	Each	is	an	accomplished	and	
C&A	effort.		We	will	discuss	how	and	where	you	begin	to	                            experienced	instructor	and	examiner	having	conducted	
identify	all	supporting	documents:	including	the	System	                            hundreds	of	examinations	for	both	law	enforcement	and	
Identification	Profile,	Implementation	Plan,	Validation	                            civil	institutions.	Forward	Discovery	instructors	have	trained	
Results,	DIACAP	Scorecard,	the	Plan	of	Action	&	Milestones	                         numerous	foreign	and	national	(US)	law	enforcement	and	
(POA&M),	and	other	Supporting	Artifacts.	                                           government	officers	and	corporate	investigators.

                     Macintosh Forensic Survival Course
                     Five-Day Course • Mon, Sept 29 – Fri, Oct 3, 2008 • Instructor: Steve Whalen
Forward	Discovery,	Inc.	(previously	Phoenix	Data	Group,	LLC)	has	seen	the	need	for	Macintosh	
forensic	training	that	is	practical	to	forensic	examiners.		The	training	was	designed	for	the	
student	to	learn	what	is	needed	with	a	no	one	left	behind	attitude	in	a	team	work	atmosphere	                                       Students Will Receive:
through	hands-on	training.		Students	will	walk	away	with	the	skills	necessary	to	properly	seize,	                                     C
                                                                                                                                    •		 ourse	Manual
acquire,	analyze,	and	document	your	examination	of	an	Intel-based	Macintosh	computer	in	a	                                            C
                                                                                                                                    •		 ustom	Acquisition	CD	for	
forensically	sound	manner.		Unlike	most,	our	forensic	training	is	conducted	in	a	logical	format	                                      PowerPC	and	Intel	Macs
which	covers	the	process	of	conducting	a	forensic	examination	of	a	Macintosh	from	start	to	                                           M
                                                                                                                                    •		 acDrive	7
finish	in	a	way	that	just	makes	sense.		Additionally,	our	training	and	material	is	designed	to	be	a	                                  V
                                                                                                                                    •		 irtual	Machine	Software	
reference	to	allow	an	examiner	to	utilize	what	you	learn	after	the	course	is	over	when	it	is	time	                                    (Parallels	or	VMWare	
for	your	next	Mac	exam.		We	also	provide	instruction	on	advance	topics	such	as	working	with	                                          Fusion)
NTFS	media	and	the	forensic	examination	of	Apple	iPod	and	iPhone	devices.		                                                           E
                                                                                                                                    •		 mailchemy
Forward	Discovery	instructors	have	unparalleled	experience	necessary	to	help	you	succeed.		Our	                                       i
                                                                                                                                    •		Pod	Video	Nano
instructors	hold	multiple	certifications	including	the	IACIS	Certified	Forensic	Computer	Examiner	                                  Each student will be provided
(CFCE).		Each	is	an	accomplished	and	experienced	instructor	and	examiner	having	conducted	hun-                                      a Macintosh computer for
                                                                                                                                    the duration of the course
dreds	of	examinations	for	both	law	enforcement	and	civil	institutions.		FD	instructors	have	trained	
                                                                                                                                    in order to participate in the
both	foreign	and	national	(US)	corporate	investigators,	law	enforcement,	and	government	officers.	                                  Hands-on labs.
Sign up and Receive the Same Training as the FBI Computer Forensics Investigators!

Please visit for more details on all courses.                                          SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   19
                                                                LEGAL	523

     5-Day Program • 9am–5pm • Mon, Sept 29 – Fri, oct 3, 2008 • 6 CPE/Day • Senior Instructor: Ben Wright

This course covers the law of business,                                                                                                 Senior Instructor
                                                                                                                                            Ben Wright
contracts, fraud, crime, IT security, IT
                                                                                                                  Ben, recognized the world over as
liability, and IT policy – all with a focus
                                                                                                               one of the leading lawyers in e-com-
on electronically stored and transmitted
                                                                                                               merce, is the founding author of The
records. Legal 523 is a five-day package
                                                                                                                 Law of Electronic Commerce, a com-
delivering the content of the following
                                                                                                                  prehensive book on the legality of
one-day courses:
                                                                                                               electronic transactions and comput-
• Legal 417: Legal Issues in                                                                                    erized business records. Since 1988
  Information Technology: InfoSec                                                                                 Ben has delivered many hundreds
• Legal 416: Business Law and                                                                                      of presentations on e-commerce,
  Computer Security (e-Discovery!)                                 Who Should Attend                             privacy, records management, and
                                                                                                                computer security and been quoted
• Legal 412: Contracting for Data                           S
                                                          •		 ecurity	and	IT	professionals,	
                                                            lawyers,	paralegals,	auditors,	                        in publications around the globe,
  Security and Other Technology                             accountants,	technology	managers,	
                                                            and	vendors
                                                                                                                 from the Wall Street Journal to the
• Legal 413: Law of Fraud and IT as an                                                                            Sydney Morning Herald. He wrote
                                                          •		 rofessionals	with	security	policy	
  Instrument of Crime                                       responsibilities,	including	security	                and presented a report on technol-
                                                            staff	and	consultants,	investigators,	
• Legal 425: Applying Law to Emerging                                                                             ogy law to the Sri Lankan govern-
                                                            CIOs,	cyber	law	enforcement	
  Dangers                                                   personnel,	and	government	policy	                        ment, which contributed to the
                                                            makers                                                adoption of national e-commerce
Special Features! This legal offering
                                                                                                                                 legislation in 2005.
will cover many recent developments,                             Get GLEG Certified
including TJX, amendments to the
Federal Rules of Civil Procedure
pertaining to the discovery of electronic
records in litigation and the torment
Hewlett-Packard has endured for spying
on journalists and members of its board                   Reinforce what you learned in training
                                                           and prove your skills and knowledge
of directors. Hewlett-Packard employed                                                                                AutHor stAtement:
                                                          with a GLEG certification.
its internal security team and outside                                                                                t Hese Are five intense dAys cover-
investigators in ways that raised legal                      “Excellent! Excellent! Information                       ing tHe rAPid develoPment of lAw

questions (can you say, “computer crime                    security managers today need to know                       At tHe intersection of     it And se-
                                                                                                                      curity .   Be
law?”) and led to criminal indictments.                    the legal issues facing all of us and this                                 PrePAred for insigHts

                                                                                                                      And tiPs you ’ ve not HeArd Before .
All security professionals should know                          course brings it right to you!”
                                                                                                                      - B enJAmin w rigHt
the lessons from these cases.                                 -teresA cole, Poudre scHool district

20    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008            To register for SANS NETWORK SECURITY 2008, visit
                                      MANAGEMENT	504

 6-Day Program • 9am–5pm • Mon, Sept 29 – Sat, oct 4, 2008 • 6 CPE/Day • Certified Instructor: Bryce Galbraith

This hands-on course is designed to give
managers with IT security responsibility a                        FREE laptop
complete understanding of how hacker attacks                          PROVIDED
work and how to defend against them. No
prerequisite knowledge is expected other than        Students will be provided a
some experience with command line utilities.        pre-configured laptop with all
We supply skilled teaching assistants and a        the tools, which is theirs to keep.                                       Certified Instructor
pre-configured laptop with all the tools and                                                                                Bryce Galbraith
                                                          Who Should Attend                          Bryce began his IT journey at 10 years
operating systems needed for the exercises.
                                                   •		nformation	security	management	                   of age with a Commodore 64 and a
This course is an adaptation of our popular          personnel
SEC504: Hacker Techniques, Exploits, and                                                              300 baud modem – he never looked
                                                   •		 hief	information	security	officers
Incident Handling, taught in a way to highlight                                                           back. As a contributing author of
                                                                Special Note:                         the internationally bestselling book
the management implications and applications
                                                       A working lunch is provided each                  Hacking Exposed: Network Security
of the technology. You will build your hands-on         day to give the class additional
                                                                                                           Secrets & Solutions, Bryce helped
skills through the course, and the program will     instruction time. This is all part of the
                                                     SANS promise that what you learn in             bring the secret world of hacking out
culminate with our hacker workshop where the
                                                      the class, you will be able to use the            of the darkness and into the public
majority of students will succeed in breaking            day you get back in the office.                eye. Bryce regularly teaches at the
into target systems. And should you struggle,                                                           ever popular “Black Hat Briefings &
                                                        Get GCIM Certified
your teaching assistant will be able to give you                                                        Training” conferences and provides
just the right hint for success; we promise no                                                        consulting services to clients around
manager will be left behind. At the conclusion                                                     the world. Bryce is a member of several
of the course you will understand the attacks                                                      security-related professional organiza-
that are being used against your organization’s                                                         tions and is a Certified Information
systems, the primary defenses, and how to talk                                                      System Security Professional (CISSP), a
                                                   Reinforce what you learned in training
to your technical people as someone that has                                                        GIAC Certified Incident Handler (GCIH),
                                                    and prove your skills and knowledge
been there, done that.                             with a GCIM certification.             and a Certified Ethical Hacker (CEH).

Please visit for more details on all courses.                      SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   21
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                    This hands-on course will help you get started in the field of
9:00am–5:00pm		•		6	CPE/Day
                                                    information technology and security auditing.
                                                    During	the	week	we	will	examine	or	work	with	
                                                    tools	ranging	from	such	things	as	URLScan	(a	part	
Who Should Attend
                                                    of	Microsoft’s	IIS	Security	Wizard)	and	various	
•		 rofessionals	entering	the	audit	
  field                                             CIS	Scoring	Tools	to	HFNetCheck	(hfnetchk.exe)	
•		 uditors	taking	on	information	
  A                                                 and	Unix	syslog,	helping	the	student	to	see	how	
  security	validation	responsibilities              each	of	these	can	be	applied	in	security	and	audit	
•		 anagers	overseeing	the	audit	                   validation.		In	SANS	IT	Security	Audit	and	Control	
  and	validation	process
                                                    Essentials,	we	feel	that	we	have	put	together	a	
•		 nyone	seeking	to	improve	overall	               very	strong	audit	training	program,	giving	both	          AUTHoR STATEMENT
  security	through	addition	of	
  validation	capabilities	                          audit	theory	and	strong	technical	details.		It	           in     tHe    informAtion   AssurAnce         And

•		 uditors	with	a	CISA	or	CIA	                     covers	the	essentials	of	security,	compliance,	and	       vAlidAtion field tHere is A reAl need

  certification	who	are	seeking	to	                 IT	auditing—everything	you	need,	nothing	you	             for QuAlified Auditors .          w itHout   Pro -
  learn	practical	methods	of	auditing	
                                                    don’t.		As	each	topic	is	discussed	in	the	class,	we	
  the	technology	that	is	in	use	today	                                                                        fessionAls wHo cAn HelP us to see
                                                    will	strive	to	first	teach	the	underlying	theories	
                                                                                                              How well we ’ re Performing securit y
   Get GSAE Certified                               and	then	explain	how	and	what	about	these	
                                                                                                              tAsks , we creAte Blind sPots in our
                                                    topics	require	the	attention	of	an	auditor	or	
                                                                                                              securit y vision , Believing tHAt we Are
                                                    compliance	officer.
                                                                                                              PerHAPs more secure tHAn we Are .
                                                    The	course	is	presented	hands	on	so	that	
                                                                                                              t He    trouBle is finding A source of
                                                    students	can	receive	the	most	benefit	by	
                                                                                                              comPreHensive        i nfo s ec    informAtion
                                                    actually	trying	what	is	described	in	the	lectures.		
                                                                                                              As it APPlies to Auditing .          t His   clAss
                                                    This	class	is	not	a	CISA	prep	course.		Instead,	
     Reinforce what you learned                                                                               wAs creAted to Address tHis sPecific
      in training and prove your                    this	course	and	advanced	course	Audit	507:	
     skills and knowledge with a                    Auditing	Networks,	Perimeters,	and	Systems	               need And Allows An At tendee to leAve
           GSAE certification.                      fill	in	all	of	the	technical	how-to	blanks,	giving	       witH All of tHe key securit y Prin -
                                                    you	real-world,	hands-on	audit	practice	for	              ciPles       And   concePts from        securit y
                                                    technologies	currently	in	use.		Throughout	the	           essentiAls couPled witH A cleAr un -
                                                    class	we’ve	tried	very	hard	to	make	sure	that	
                                                                                                              derstAnding of How to APPly tHem to
                                                    we	are	presenting	all	of	the	foundations	of	
                                                                                                              informAtion AssurAnce And Auditing .
                                                    information	security	in	connection	with	current	
                                                                                                              - d Avid H oelzer
                                                    information	technology,	while	continually	
                                                    asking—and	answering!	–	Why	does	an	auditor	
                                                    care	about	this?
                                                          “The information was well presented with great real world examples.
       LAPToP                                                   Best of all, it is immediately applicable to my current job.”
      REqUIRED                                                          -leAn nosewortHy, college of tHe nortH AtlAntic QuArter

22     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008            To register for SANS NETWORK SECURITY 2008, visit
IT Security Audit and Control Essentials is designed for individuals entering the information security industry
who are tasked with auditing organization policy, procedure, risk, or policy conformance. After attending this course, students
will have gained a firm grasp of information security principles and issues and will be equipped to develop best practice audit
checklists. Audit 410 helps you prepare for SANS’ signature audit course, Audit 507: Auditing Networks, Perimeters, and Systems.

410.1 Hands On: Underlying Infrastructure Concepts and Auditing
Auditors	and	compliance	officers	are	asked	to	examine	a	large	number	of	complex	systems	today,	
including	large	networks,	exposure	of	intellectual	property,	and	physical	facility	security.		Day	one	of	
this	course	introduces	key	technologies	and	systems	relating	to	these	problems,	tying	each	of	them	
directly	to	audit	controls	and	activities	for	the	measurement	of	overall	security.	
Topics: Auditing;	Network	Fundamentals;	Physical	Security;	IP	Behavior

410.2 Hands On: Defense In Depth                                                                                                  Senior Instructor
                                                                                                                                  James Tarala
Electronic	commerce	and	data	interchange	has	become	the	way	to	do	business	in	the	twenty-first	
century.		Organizations	want	to	know	if	they’re	secure	and	what	they	need	to	do	to	become	more	                                   James	Tarala	is	a	principal	
secure.	This	course	will	provide	an	auditor	with	the	technical	underpinnings	of	these	technologies	                               consultant	with	Enclave	
followed	up	with	hands-on	testing	and	validation	exercises	so	that	these	questions	can	be	answered.		                             Hosting,	LLC	and	is	based	out	
Over	the	course	of	the	day,	we	will	cover	everything	required	to	implement	a	comprehensive	
information	assurance	program	and	validate	it	from	end	to	end.                                                                    of	Venice,	FL.	He	is	a	regular	
Topics: Information	Assurance;	Security	Policy;	Access	Control	Techniques	and	Types;	Incident	Handling                            speaker	and	senior	instructor	
                                                                                                                                  with	the	SANS	Institute	as	
410.3 Hands On: Internet Security Technologies                                                                                    well	as	a	courseware	author	
Concealing	the	meaning	of	a	message	can	prevent	unauthorized	parties	from	reading	sensitive	                                      and	editor	for	many	of	their	
information.		Examine	various	aspects	of	encryption	and	how	it	can	be	used	to	secure	your	company’s	                              auditing	and	security	courses.	
assets.		Steganography,	or	information	hiding,	is	also	covered	as	well	as	virus	and	virus	detection.		We’ll	
                                                                                                                                  As	a	consultant	he	has	spent	
also	look	at	various	attacks	that	encryption	can	help	prevent.		
Topics: Host	Based	IDS;	Network	Based;	Honeypots                                                                                  the	past	few	years	architecting	
                                                                                                                                  large	enterprise	IT	security	
410.4 Hands On: Secure Communications                                                                                             and	infrastructure,	specifically	
Connected	closely	to	the	issues	surrounding	EDI	and	EC	are	secure	communications.		This	day	will	                                 working	with	many	Microsoft-
look	at	encryption	and	how	it	can	be	applied	to	information	assurance	problems	in	communication.		                                based,	directory	services,	
More	importantly,	attention	will	be	given	to	identifying	the	correct	types	of	encryption	to	use	for	                              e-mail,	terminal	services,	and	
various	situations	and	how	to	validate	encryption	in	terms	of	compliance	controls.
Topics: Cryptography;	PGP;	Anti-Viral	Tools	on	Desktops;	Operations	Security
                                                                                                                                  wireless	technologies.	He	has	
                                                                                                                                  also	spent	a	large	amount	
410.5 Hands On: Windows Security and Auditing                                                                                     of	time	consulting	with	
Windows	remains	the	most	pervasive	operating	system	in	use	today.		Today’s	material	will	take	                                    organizations	to	assist	them	
a	technical	look	at	the	numerous	security	controls	and	settings	available	on	a	Windows	system,	                                   in	their	security	manage-
particularly	in	terms	of	compliance	management	and	auditing.		The	material	will	give	you	a	solid	                                 ment,	operational	practices,	
handle	on	Windows	2000,	XP,	and	.NET	security	issues.	In	this	section	we	will	also	consider	some	of	the	
many	Microsoft	utilities	available	to	secure	Microsoft	Windows	systems,	including	HFNETCHK,	MBSA,	                                and	regulatory	compliance	
URLSCAN,	IIS	Lockdown,	and	many	more.	                                                                                            issues	and	often	performs	
Topics: The	Windows	Infrastructure;	Permissions	and	User	Rights;	Security	Policies	and	Templates;	Service	Packs,	Patches,	        independent	security	audits	
       and	Backups;	Securing	Network	Services;	Auditing	and	Automation
                                                                                                                                  and	assists	internal	audit	

410.6 Hands On: Unix Security and Auditing                                                                                        groups	to	develop	their	
                                                                                                                                  programs.	James	completed	
The	final	day	of	the	course	covers	an	introduction	to	Unix	and	Unix	security	with	an	eye	on	security	
auditing.		A	wide	range	of	topics	will	be	covered	quickly,	drawing	in	information	from	earlier	in	the	                            his	undergraduate	studies	at	
week	by	showing	how	systems	like	TCPWrappers	are	used	in	a	running	system	or	network.		Students	                                  Philadelphia	Biblical	University	
will	leave	with	an	overall	plan	for	auditing	any	Unix	system.
                                                                                                                                  and	his	graduate	work	at	the	
Topics: Patching	and	Software	Installation;	Minimizing	System	Services;	Logging	Access	Control;	Additional	Security	
       Configuration;	Backups	and	Archives                                                                                        University	of	Maryland.	He	also	
                                                                                                                                  holds	numerous	professional	

Visit for more detailed course descriptions and additional information.               SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   23
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                   This course is the end product of over one hundred skilled
9:00am–5:00pm		•		6	CPE/Day
                                                   system, network, and security administrators working with
                                                   one common goal – to improve
                                                   the state of information security.
Who Should Attend
•		 udit	professionals	looking	for	
  A                                                This	course,	like	all	SANS	courses,	is	based	on	
  technical	details	on	auditing                    known	and	validated	threats	and	vulnerabilities.	
•		 ecurity	professionals	newly	
  S                                                These	threats	and	vulnerabilities	are	explained	
  tasked	with	audit	responsibilities               based	on	validated	information	from	real-
•		 ystem	and	network	                             world	situations	that	can	be	used	to	raise	
  administrators	wanting	to	better	
                                                   awareness	within	an	organization	and	build	an	           AUTHoR STATEMENT
  understand	what	an	auditor	is	
  trying	to	achieve,	how	they	think,	              understanding	of	why	auditing	is	important.		            tHe sAns Auditing networks, Perime-
  and	how	to	better	prepare	for	an	                From	these	threats	and	vulnerabilities	we	build	         ters, And    systems course stAnds Alone in
  audit                                            countermeasures	and	defenses,	including	                 tHe informAtion AssurAnce ArenA As tHe
                                                   instrumentation,	metrics,	and	auditing.		The	
                                                                                                            only comPreHensive source for HAnds-
  Get GSNA Certified                               course	begins	with	a	high-level	introduction	on	
                                                                                                            on     Audit   How-to.      former     students
                                                   methods	and	audit	programs.		It	then	takes	you	
                                                                                                            HAve included long time Auditors And
                                                   through	all	the	particulars	of	how	to	actually	
                                                                                                            tHose new to tHe field, BotH of wHom
                                                   audit	devices	and	IT	systems	that	range	from	
                                                                                                            HAve found significAnt Benefit from tHe
                                                   firewalls	and	routers	all	the	way	down	to	the	
                                                                                                            refresHer mAteriAl. one individuAl, A vice
                                                   underlying	operating	systems.
                                                                                                            President witH tHe iiA (institute of inter-
                                                   You’ll	be	able	to	use	what	you	learn	the	day	            nAl    Auditors)   sAid,   “i’ve   Been Auditing
   Reinforce what you learned                      you	get	home.		Five	of	the	six	days	in	the	              systems for A very long time And no one
    in training and prove your
                                                   course	will	include	hands-on	exercises	with	
   skills and knowledge with a                                                                              ever ActuAlly gAve me A formAl Process
        GSNA certification.                        the	demonstrated	tools	on	a	live	in-class	
                                                                                                            tHAt   i   cAn APPly to conducting tecHni-
                             network.		Each	student	is	invited	to	bring	a	
                                                                                                            cAl Audits.    tHAnk   you!”   wHile   we don’t
                                                   Windows	2000	or	higher	laptop	for	use	during	
                                                                                                            reQuire A HigH level of tecHnicAl exPe-
                                                   class.		The	hands-on	exercises	will	allow	you	to	
                                                                                                            rience As A PrereQuisite to tHis course,
                                                   experiment	with	the	audit	tools	discussed	in	
                                                                                                            we HAve worked HArd to mAke sure tHAt
                                                   class	and	to	actually	perform	audit	functions	
                                                   against	SANS-provided	servers	in	class.		A	great	        Anyone wHo comes to tHe course wAlks

                                                   audit	is	more	than	marks	on	a	checklist;	it	is	the	      AwAy witH A weAltH of mAteriAl tHAt tHey

                                                   understanding	of	the	best	practices,	system	             cAn tAke BAck to tHeir office And APPly

                                                   analysis,	and	forensics.		Sign	up	for	this	course	       tomorrow. we reAlisticAlly Address tHe

                                                   and	experience	the	mix	of	theory	and	hands-on,	          “How do i get tHere from Here?” ProBlem
                             pragmatic	knowledge.                                     By offering sHort-term goAl solutions

                                                                                                            wHicH, wHen comBined, will Allow you

                                                       “The information was well presented with             to AcHieve your goAl: identify, rePort

                                                       great real world examples. Best of all, it is        on, And reduce risk in your enterPrise.
                                                      immediately applicable to my current job.”            - dAvid Hoelzer
     REqUIRED                         -leon nosewortHy, college of tHe nortH AtlAntic QAtAr

24    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008           To register for SANS NETWORK SECURITY 2008, visit
Auditing Networks, Perimeters, and Systems is a hands-on course and is the most comprehen-
sive, most technically advanced audit course on planet earth! Entry level IT auditors tend to earn $40,000 - $65,000
while more advanced auditors can earn up to $95,000. Those with the coveted GSNA certification often earn 8% more
than those without.

507.1 Auditing Principles and Concepts*
This	course	will	fill	in	any	foundational	gaps	you	have	in	auditing	in	addition	to	presenting	innovative	
approaches	to	auditing.		For	classes	taught	in	the	United	States,	coverage	also	includes	legal	
requirements	from	such	laws	as	Sarbanes-Oxley	and	Gramm-Leach-Bliley.		This	course	will	also	help	
any	auditor	to	improve	their	audit	process	and	presentation	of	audit	findings.		
Topics: Auditor’s	Role;	Benefits	of	Various	Auditing	Standards	and	Certifications;	Basic	Auditing	and	Assessing	Strategies;	
       The	Six-Step	Audit	Process

507.2 Hands On: Auditing the Perimeter*                                                                                             SANS Instructor
Day	two	focuses	on	some	of	the	most	sensitive	and	important	parts	of	our	information	technology	                                    Dave Shackleford
infrastructure:	routers	and	firewalls.		In	order	to	properly	audit	a	firewall	or	router,	we	need	to	clearly	                        Dave	Shackleford,	director	
understand	the	information	flow	that	is	expected	for	the	device.		These	diagrams	will	allow	the	auditor	
to	identify	what	objectives	the	routers	and	firewalls	are	seeking	to	meet,	thus	allowing	controls	to	                               of	Configuresoft’s	Center	
be	implemented	which	can	also	be	audited.		Overall,	this	course	will	teach	the	student	everything	                                  for	Policy	&	Compliance,	is	a	
needed	to	audit	routers	and	firewalls	in	the	real	world.
                                                                                                                                    course	and	exam	author	for	
Topics: Overview;	Detailed	Audit	of	a	Router;	Testing	the	Firewall;	Testing	the	Firewall	Rulebase;	Testing	Third	Party	
       Software;	Reviewing	Logs	&	Alerts;	the	Tools	Used                                                                            SANS,	where	he	also	serves	as	

507.3 Hands On: Network Auditing Essentials*                                                                                        a	GIAC	Technical	Director.		He	
Day	three	continues	where	day	two	left	off,	extending	network	and	perimeter	auditing	to	internal	                                   is	the	co-author	of	Hands-On
system	validation	and	vulnerability	testing.	Network	security	professionals	will	see	how	to	use	the	                                Information Security	from	
tools	and	techniques	described	to	audit,	assess,	and	secure	a	network	in	record	time.		Following	a	
                                                                                                                                    Course	Technology,	as	well	
defense	in	depth	approach,	learn	how	to	audit	perimeter	devices,	create	maps	of	active	hosts	and	
services,	and	assess	the	vulnerability	of	those	services.		The	afternoon	covers	database	security	and	                              as	the	“Managing	Incident	
auditing	for	MSSQL,	MySQL,	and	Oracle	with	hands-on	exercises.                                                                      Response”	chapter	in	the	
Topics: Introduction;	War	Dialing;	Wireless;	Mapping	Your	Network;	Analyzing	The	Results;	Follow-on	Activities;		
       Database	Auditing                                                                                                            Course	Technology	book,	

507.4 Hands On: Auditing Web-based Applications*                                                                                    Readings and Cases in the

This	day	will	demonstrate	how	to	identify	security	weaknesses	for	Web-enabled	services	that	could	                                  Management of Information
be	exploited	by	remote	users	using	publicly	available	software	and	manual	techniques.		It	would	                                    Security.		Previously,	he	worked	
be	especially	useful	for	those	auditing,	developing,	or	managing	the	development	of	a	Web-based	
                                                                                                                                    as	CTO	for	the	Center	for	
Topics: Web	Server	Security;	HTTP	Primer;	Traffic	Interception	&	Manipulation;	Tools	of	the	Trade	&	Safety;	Information	            Internet	Security,	as	well	as	for	
       Leakage;	HTML,	JavaScript,	HTTP	Headers;	Caching;	Session	Tracking:	URL	Re-Writing	&	Cookies;		User	Input	Testing:	
       Buffer	Overflows,	Stealth	Commanding,	&	SQL	Injection;	Cross-Site	Scripting	(XSS);	Sample	Audit	-	Step-by-step               a	security	consulting	firm	in	
                                                                                                                                    Atlanta.		He	has	also	worked	
507.5 Hands On: Advanced Systems Audit: Windows XP/2003*                                                                            as	a	security	architect,	analyst,	
Systems	based	on	the	Windows	NT	line	(NT,	2000,	XP,	2003,	and	Vista)	make	up	a	large	part	
of	the	typical	IT	infrastructure.		Quite	often,	these	systems	are	also	the	most	difficult	to	                                       and	manager	for	several	
effectively	secure	and	control.		This	class	gives	you	the	keys,	techniques,	and	tools	to	build	                                     Fortune	500	companies.	He	
an	effective	long	term	audit	program	for	your	Microsoft	Windows	environment.                                                        has	consulted	with	hundreds	
Topics: Auditing	Windows	to	Create	a	Secure	Configuration;	Auditing	Windows	to	Maintain	a	Secure	Configuration;	
       Auditing	Windows	to	Determine	What	Went	Wrong;	Forensics                                                                     of	organizations	in	the	areas	of	

507.6 Hands On: Advanced Systems Audit: Unix*                                                                                       regulatory	compliance,	secu-
                                                                                                                                    rity	and	network	architecture	
Students	will	gain	a	deeper	understanding	of	the	inner	workings	and	fundamentals	of	
the	Unix	operating	system	as	applied	to	Linux,	BSD,	and	Solaris.		Explore,	assess,	and	audit	                                       and	engineering.		His	special-
Unix	systems	hands	on.		Lectures	describe	the	different	audit	controls	that	are	available	                                          ties	include	incident	handling	
on	standard	Unix	systems	as	well	as	access	controls	and	security	models.		Although	a	Unix	
                                                                                                                                    and	response,	intrusion	detec-
based	or	dual	boot	laptop	is	not	required,	please	be	sure	to	check	the	laptop	requirements	
for	the	course	in	order	to	derive	the	greatest	benefits	from	the	experience!                                                        tion	and	traffic	analysis,	and	
Topics: Auditing	Unix	to	Create	a	Secure	Configuration;	Auditing	Unix	to	Maintain	a	Secure	Configuration;		                         vulnerability	assessment	and	
       Auditing	Unix	to	Determine	What	Went	Wrong;	Forensics
                                                                                                                                    penetration	testing.
*This course is available to Audit 507 participants only.

Visit for more detailed course descriptions and additional information.                 SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   25
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                      The International Standards Organization (ISO) has
9:00am–5:00pm		•		6	CPE/Day
                                                      recently revised what has become the de facto document
                                                      for creating and maintaining a
                                                      secure enterprise, today known
Who Should Attend
•	ISOs
                                                      as the ISO/IEC 17799:2005 and
                                                      the renumbered 27001
•		 anagement	professionals	
  M                                                   registration criteria.
  considering	or	implementing	
  7799/17799                                          The	strength	of	this	document	is	derived	from	
                                                      the	meticulous	attention	to	detail	provided	
•	Auditors	
                                                      by	the	many	contributing	authors	and	
                                                      organizations	as	well	as	the	applicability	of	
                                                                                                               AUTHoR STATEMENT
 Get G7799 Certified                                  the	standard	to	the	realities	of	doing	business	
                                                                                                               A nyone     wHo HAs ever tried to imPle -
                                                      today.		The	standard	seeks	to	offer	best	practice	
                                                                                                               ment      Bs7799, As7799,                or    iso-
                                                      guidance	regarding	all	manner	of	security	
                                                                                                               17799           in   tHeir    orgAnizAtion     rec -
                                                      issues	and	can	assist	any	organization	that	
                                                                                                               ognizes         tHAt   it    is   An   outstAnding
                                                      chooses	to	adopt	it	to	develop	a	truly	security-
                                                                                                               securit y stAndArd But tHAt tHe initiAl
                                                      minded	corporate	culture.		Using	our	method	
                                                                                                               creAtion of tHe              i nformAtion s ecu -
                                                      for	developing	and	applying	controls,	you	will	
                                                                                                               rit y    m AnAgement s ystem (isms)              to
   Reinforce what you learned                         learn	to	implement	the	guidance	contained	
    in training and prove your                                                                                 Build And mAintAin comPliAnce cAn
                                                      in	ISO-17799	through	step-by-step	pragmatic	
   skills and knowledge with a                                                                                 Be A long And PAinful Process . i n tHis
        G7799 certification.                          examples	and	thereby	move	quickly	into	
                                                                                                               course we use reAl - world exAmPles of
                                compliance	with	the	specification.
                                                                                                               wHAt works And wHy it works in order

                                                      This	course	is	designed	for	information	                 to teAcH you How to APPly tHe sAme

                                                      security	officers	or	other	management	                   metHodologies witHin your orgAnizA -

                                                      professionals	who	are	looking	for	a	how-to	              tion .   t He   end result is tHAt After tAk -

                                                      guide	for	implementing	ISO-17799	effectively.		          ing tHis course you will fully under -

                                                      While	the	standard	is	very	well	written,	                stAnd All AsPects of tHe               7799   fAmily

                                                      anyone	who	has	actually	tried	to	shift	to	an	            of stAndArds And Be in A Position to

                                                      ISO-17799	structured	security	organization	              creAte A world clAss              isms   witH mini -

                                                      knows	that	there	can	be	some	significant	                mAl effort And mAximum efficiency !
                                hurdles	to	overcome.		This	course	will	give	             - d Avid H oelzer
                                                      you	the	information	you	need	to	go	back	to	
                                                      your	organization	with	a	plan	of	action	to	
                                                                                                               “This course provided a usable,
                                                      get	the	job	done!		This	course	has	proven	
                                                                                                             real-world framework for actually
      LAPToP                                          especially	valuable	for	organizations	whose	
                                                                                                             implementing ISO 17799. Not just
   RECoMMENDED                                        17799	implementation	is	currently	“stuck	
                                                                                                               theory, but practical how-to’s.”                         in	the	mud”	or	is	simply	taking	longer	than	
                                                                                                                   -scott frAnklin, durAtek, inc.
                                                      management	would	like.

26       SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008           To register for SANS NETWORK SECURITY 2008, visit
SANS 17799/27001 Security and Audit Framework is designed
for information security officers or other management professionals who are looking for
a how-to guide for implementing ISo-17799/27001 effectively.

411.1 Hands On: Introduction to ISO/IEC 17799/27001:
      Policy, ISMS and Awareness
Day	one	begins	with	a	general	introduction	and	overview	of	ISO-17799	and	the	27000	series	of	
standards.		How	to	apply	this	standard	and	reconcile	it	with	other	comparable	standards	is	also	
discussed	on	this	day	and	throughout	the	week.		From	the	very	beginning,	the	class	is	focused	on	
how-to.		Examine	a	12-step	process	(that	works!)	to	implement	17799/27001	or	almost	any	other	
standard.		See	how	to	Plan,	Do,	Check,	and	Act.	Explore	SANS’	own	version	of	PDCA	which	actually	
extends	the	ISO-17799	methodology,	giving	you	a	strategy	for	attacking	the	rollout	issues	that	you	                                 Certified Instructor
will	face	under	ISO-17799.	Learn	how	to	create,	administer,	and	audit	an	effective	awareness	program	
                                                                                                                                    Matthew Luallen
and	how	to	design	the	Information	Security	Management	System.
Topics: Overview	of	ISO-17799;	Twelve	Steps	Outlined	by	ISO-17799;	SANS	ISO-17799	Methodology                                       Matt	Luallen	is	a	well-

411.2 Hands On: SANS 17799/27001 Controls and Process Improvement I                                                                 respected	professional	
This	day	deals	with	a	variety	of	personnel	and	issue-specific	security	topics.		The	object	of	the	material	                         with	a	unique	background	
covered	is	to	apply	the	policy	creation	techniques	from	day	one	to	specific	areas	of	the	organization	as	
                                                                                                                                    encompassing	several	facets	
they	apply	to	employees	and	co-sourced	individuals.		On	this	day	we’ll	also	spend	time	covering	business	
impact	analysis	methodology	in	relation	to	risk	mitigation	through	policy	and	education	while	simulta-                              of	information	assurance	
neously	examining	possible	process	improvements	and	how	they	can	be	applied	to	the	7799	controls.
                                                                                                                                    and	content	delivery	systems	
Topics: Personnel	Screening;	Job	Descriptions;	Rotation	of	Responsibilities;	Onsite	Service	by	Outside	Contractors;	
       Responsibilities	of	Employees	to	the	Organization;	Communicating	Security	Objectives	and	Policy	to	Personnel;	               surrounding	business	logic.	
       Issue	Specific	Policies
                                                                                                                                    Mr.	Luallen	also	serves	as	
411.3 Hands On: SANS 17799/27001 Controls and Process Improvement II                                                                the	President	and	Principal	
Day	three	of	the	ISO-17799	implementation	course	covers	access	controls,	user	access	management,	
remote	access	controls,	and	network	device	security	from	the	viewpoint	of	incident	planning	                                        Consultant	of	Sph3r3,	LLC.	
and	handling.		Time	will	be	spent	explaining	how	to	measure	the	core	competencies	within	the	
                                                                                                                                    Prior	to	incorporating	Sph3r3,	
organization	and	identifying	the	best	ways	to	handle	security	incidents	in	terms	of	fully	defining	the	
incident	handling	policy	and	staffing	the	incident	handler	teams.		This	topic	leads	naturally	to	the	                               Mr.	Luallen	provided	stra-
discussion	of	business	continuity	planning	and	management.		To	better	define	the	actual	controls	that	
are	put	into	place	operationally,	much	of	the	day	will	be	spent	covering	a	variety	of	technical	topics.
                                                                                                                                    tegic	guidance	for	Argonne	
Topics: Authentication	Methods;	Operating	System	Access	Controls;	Application	Access	Controls;	Security	Monitoring	                 National	Laboratory,	U.S.	
       Systems;	Cryptographic	Controls;	Security	of	System	Files;	Router	ACLs;	Switches;	Firewalls
                                                                                                                                    Department	of	Energy,	within	
411.4 Hands On: SANS 17799/27001 Controls and Process Improvement III                                                               the	Information	Architecture	
Day	four	completes	the	three-day	discussion	of	each	individual	control	in	the	audit	criteria	for	17799,	
continuing	to	describe	key	controls,	explain	them,	and	discuss	implementations	and	possible	process	                                and	Cyber	Security	Program	
improvements.		We	will	address	the	issues	surrounding	continuous	improvement	of	the	methods	                                        Office.		He	has	extensive	
used	to	develop	security	competency	at	both	the	organizational	and	personal	level.		
Topics: Business	Continuity	Planning;	Systems	Development	and	Maintenance;	Security	in	Application	Systems;	Security	of	            consulting	experience	within	
       System	Files;	Security	in	Support	Processes;	Compliance
                                                                                                                                    the	governmental	and	
411.5 Hands On: Risk Management, Security Compliance                                                                                commercial	sectors	including	
      and Audit Controls                                                                                                            a	multi-client	base	of	corpora-
This	portion	of	the	course	focuses	exclusively	on	risk	analysis	and	risk	management	and	relates	them	
                                                                                                                                    tions,	financial	and	healthcare	
to	compliance	and	audit	controls.		A	variety	of	risk	analysis	strategies	will	be	evaluated	and	compared	
including	basic	methods,	detailed	methods,	paper	methods,	and	software-based	approaches.		We	will	                                  organizations.	Matt	is	also	a	
analyze	risk	trees	and	relate	all	of	these	to	the	creation	of	strong	preventative	controls.		The	control	
measures	used	in	class	come	directly	from	the	ISO	27001	criteria.	                                                                  SANS	Certified	Instructor.
Topics: Risk	Analysis;	Risk	Management;	Compliance	and	Audit	Controls;	FMECA;	Fault	Trees;	Event	Trees;	CCA

411.6 Hands On: ISO-17799/27001 Implementation
The	last	day	is	devoted	to	the	hands-on	construction	of	an	ISMS.		The	instructor	acts	as	the	CEO	and	
the	ISO,	organizing	the	class	into	various	committees.		After	the	steering	committee	generates	some	
initial	control	statements,	the	individual	committees	will	work	to	create	simple	high-level	policies	
that	will	be	reviewed	periodically	throughout	the	day.		Exercises	in	risk	analysis	and	mitigation	will	
be	presented	as	problems	are	discovered	during	the	course	of	development.	
Topics: Hands-On	Construction	of	an	ISMS

Visit for more detailed course descriptions and additional information.                 SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   27
     Six-Day Program
                                                               IAT Level III and IAM Levels II and III of the Department of Defense’s
 Mon, Sept 29 – Sat, oct 4, 2008                                                   Baseline Certification for 8570
8	CPE/Day	1	•	9	CPE/Days	2-5	                     The SANS® +S™ Training Program for the CISSP® Certification
        7	CPE/Day	6
 Evening Bootcamp Sessions:	
                                                  Exam will cover the security concepts needed to pass the
5:15pm-7:00pm	Course	days	1-5                     CISSP® exam.
     Early AM Sessions:                           This	is	an	accelerated	review	course	that	assumes	
8:00am-9:00am	Course	days	2-6                     the	student	has	a	basic	understanding	of	networks	
                                                  and	operating	systems	and	focuses	solely	on	the	
Who Should Attend                                 10	domains	of	knowledge	as	determined	by	ISC2:
•		 ecurity	professionals	who	are	
  S                                               1.	 Access	Controls	
  interested	in	understanding	the	                2.	 Telecommunications	and	Network	Security
  concepts	that	are	covered	in	the	                   I
                                                  3.	 	nformation	Security	and	Risk	Management
  CISSP®	exam	as	determined	by	ISC2               4.	 Applications	Security	
•		 anagers	who	want	to	
  M                                               5.	 Cryptography
  understand	the	critical	areas	of	               6.	 Security	Architecture	and	Design	                                 AUTHoR STATEMENT
  network	security                                7.	 Operations	Security	                                              t He cissP®        certificAtion       HAs

•		 ystem,	security,	and	network	
  S                                                   B
                                                  8.	 	 usiness	Continuity	(and	Disaster	Recovery)	Planning	            Been    Around      for       Almost   10
  administrators	who	want	to	                         (
                                                  9.	 	 Law)	Regulations,	Compliance	(and	Investigations)
                                                                                                                        yeArs And covers securit y from A
  understand	the	pragmatic	                            P
                                                  10.		 hysical	and	Environmental	Security	
  applications	of	the	CISSP®	10	                   	                                                                    30,000 foot view . cissP® covers
  Domains                                                                                                               A lot of tHeoreticAl informAtion

•		 ecurity	professionals	and	
  managers	who	are	looking	for	
                                                     b O O T                            C A M P                         tHAt is criticAl for A securit y

                                                                                                                        ProfessionAl        to        understAnd .
  practical	ways	the	10	domains	of	
  knowledge	can	be	applied	to	the	                                                                                      H owever ,    tHis mAteriAl cAn Be
                                                                  This session has extended hours.
  current	job                                         Evening Bootcamp Sessions: 5:15pm–7:00pm	days	1–5.	               dry And since most students do

•		n	short,	MGT414	is	for	anyone	
  I                                                       Early AM Sessions: 8:00am–9:00am	days	2–6.                    not see tHe direct APPlicABilit y
  who	wants	to	obtain	a	CISSP®	
                                                  Each	domain	of	knowledge	is	dissected	into	its	critical	     to tHeir JoBs , tHey find it Boring .
  certification.		If	you	either	desire	a	
                                                  components.		Every	component	is	discussed	showing	its	 t He goAl of tHis course is to
  CISSP®	or	your	job	requires	it,	this	
  is	the	training	for	you.                        relationship	to	each	other	and	other	areas	of	network	       Bring tHe cissP®10 domAins of
                                                  security.		After	completion	of	the	course,	the	student	will	
                                                                                                               knowledge to life . B y exPlAining
                                                  have	a	good	working	knowledge	of	the	10	domains	of	
                                                                                                               imPortAnt toPics witH stories ,
    Get GSIP Certified                            knowledge	and,	with	proper	preparation,	be	ready	to	
                                                  take	and	pass	the	CISSP®	exam.		SANS’ unique training exAmPles , And cAse studies ,
                                                  approach has produced a 98% pass rate on the exam. tHe PrActicAl workings of tHis
                                                  Obtaining	your	CISSP®	certification	consists	of:	                     informAtion cAn Be discovered .

                                                   •		 ulfilling	minimum	requirements	for	professional	                 i   cHAllenge you to At tend tHe
                                                     work	experience                                                    sAns cissP®          trAining course
                                                   •		 ompleting	the	Candidate	Agreement	
                                                                                                                        And find tHe exciting AsPects of
                                                   •		 eriodic	audit	based	on	submission	of	resume
     Reinforce what you learned                      P
                                                   •		 assing	the	CISSP®	250	multiple-choice	question	                  tHe    10   domAins of knowledge .
      in training and prove your                                                                                        - d r . e ric c ole , P H d
                                                     exam	with	a	scaled	score	of	700	points	or	greater
     skills and knowledge with a
           GSIP certification.                       S
                                                   •		 ubmitting	a	properly	completed	and	executed		
                               Endorsement	Form
                                                  Note: The official ISC2 courseware and the CISSP® exam are NOT provided as part of the training.

28     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                To register for SANS NETWORK SECURITY 2008, visit
SANS® +S™ Training Program for the CISSP® Certification Exam is an accelerated SANS
CISSP® review course that covers the security concepts required for the CISSP® exam and will get you up to speed fast!
This course is for students who have a basic understanding of networks and operating systems and focuses solely on
the 10 domains of knowledge as determined by ISC2.

414.1 Overview and Access Control Systems and Methodology
Learn	the	specific	requirements	needed	to	obtain	various	certifications	as	well	as	a	CISSP®	
certification.		General	security	principles	that	are	needed	in	order	to	understand	the	10	domains	of	
knowledge	are	covered	in	detail	with	specific	examples	in	each	area.		The	first	of	10	domains,	Access	
Control,	is	discussed	using	real-world	scenarios	to	illustrate	the	critical	points.
Topics: Overview	of	Certification;	Description	of	the	10	Domains:	Introductory	Material;	Domain	1:	Access	Control

414.2 Telecommunications, Network and Internet Security,                                                                    Certified Instructor
      and Security Management Practices                                                                                     Jonathan Ham
                                                                                                                            Jonathan	is	an	independent	
Most	organizations	have	connections	to	the	Internet	and	World	Wide	Web.	This	means	that	they	have	
connections	to	anyone	in	the	world.		This	has	business	implications	and	security	implications.		This	                       consultant	who	specializes	in	
section	examines	the	TCP/IP	protocol	stack	in	detail,	looking	at	each	of	the	headers	and	how	they	                          large-scale	enterprise	security	
interoperate.		General	network	security	practices	and	techniques	are	examined.		We	will	also	examine	                       issues,	from	policy	and	proce-
the	critical	components	of	network	security	and	issues	necessary	to	manage	security	in	an	enterprise.	                      dure,	through	staffing	and	
Topics: Domain	2:	Telecommunications	and	Network	Security;	Domain	3:	Security	and	Risk	Management		
                                                                                                                            training,	to	scalable	preven-
414.3 Applications and Systems Development, and Cryptography                                                                tion,	detection,	and	response	
                                                                                                                            technology	and	techniques.	
Application	development	will	be	covered	with	an	emphasis	on	system	engineering	principles	
and	techniques.		Software	development	life	cycles	are	examined	giving	examples	of	what	types	                               With	a	keen	understanding	
of	projects	are	suited	for	different	life	cycles.		Cryptography	plays	a	critical	role	in	the	protection	                    of	ROI	and	TCO	(and	an	
of	information.		Case	studies	are	examined	showing	the	correct	and	incorrect	ways	to	deploy	                                emphasis	on	process	over	
cryptography	and	common	mistakes	that	are	made.		The	three	types	of	crypto	systems	are	examined	                            products),	he	has	helped	
to	show	how	they	work	together	to	accomplish	the	goals	of	crypto.		
                                                                                                                            his	clients	achieve	greater	
Topics: Domain	4:	Applications	Security;	Domain	5:	Cryptography
                                                                                                                            success	for	over	12	years,	
414.4 Security Architecture and Models, and Operations Security                                                             advising	in	both	the	public	
                                                                                                                            and	private	sectors	from	small	
A	computer	consists	of	both	hardware	and	software.	Understanding	the	critical	components	of	the	
hardware,	how	they	interoperate	with	each	other	and	the	software,	is	critical	in	order	to	implement	                        upstarts	to	the	Fortune	500.	
proper	security	measures.	We	examine	the	different	hardware	components	and	how	they	interact	to	                            He’s	been	commissioned	
make	a	functioning	computer.	Non-technical	aspects	of	security	are	just	as	critical	to	technical	aspects.		                 to	teach	NCIS	investigators	
Operations	security	focuses	on	the	legal	and	managerial	aspects	of	security	and	covers	components	
                                                                                                                            how	to	use	Snort,	performed	
such	as	background	checks	and	non-disclosure	agreements,	which	can	eliminate	problems	from	
occurring	down	the	road.	                                                                                                   packet	analysis	from	a	facility	
Topics: Domain	6:	Security	Architecture	and	Design;	Domain	7:	Operations	Security                                           more	than	2000	feet	under-
                                                                                                                            ground,	and	chartered	and	
414.5 business Continuity Planning and Law, Investigations,                                                                 trained	the	CIRT	for	one	of	
      and Ethics                                                                                                            the	largest	U.S.	civilian	federal	
Business	continuity	planning	is	examined	comparing	the	differences	between	BCP	and	DRP.		A	                                 agencies.	He	currently	holds	
life	cycle	model	for	BCP/DRP	is	covered	giving	scenarios	of	how	each	step	should	be	developed.		                            the	CISSP,	GSEC,	GCIA,	and	
If	you	work	in	network	security,	understanding	the	law	is	critical	during	incident	responses	and	                           GCIH	certifications	and	is	a	
investigations.		The	common	types	of	laws	are	examined	showing	how	critical	ethics	are	during	any	                          member	of	the	GIAC	Advi-
type	of	investigation.
                                                                                                                            sory	Board.	A	former	combat	
Topics: Domain	8:	Business	Continuity	Planning;	Domain	9:	Regulation,	Compliance,	and	Investigations		
                                                                                                                            medic,	Jonathan	still	spends	
414.6 Physical Security                                                                                                     some	of	his	time	practicing	a	
In	any	environment	it	does	not	matter	how	good	your	network	security	is;	if	you	do	not	have	proper	                         different	kind	of	emergency	
physical	security	someone	can	still	obtain	access	to	sensitive	information.		In	this	section	various	                       response,	volunteering	and	
aspects	and	controls	of	physical	security	are	examined	and	explained.		The	course	finishes	with	case	                       teaching	for	both	the	National	
studies	showing	how	you	put	all	of	the	10	domains	into	practice	to	obtain	a	secure	enterprise.                              Ski	Patrol	and	the	American	
Topics: Domain	10:	Physical	and	Environmental	Security                                                                      Red	Cross.

Visit for more detailed course descriptions and additional information.          SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   29
   Five-Day Program                                                IAM Levels I, II, and III of the Department of Defense’s Baseline
                                                                                          Certification for 8570
  Mon, Sept 29 – Fri, oct 3, 2008
9:00am–5:00pm		•		6	CPE/Day                         This completely updated course is designed to empower
                                                    advancing managers who want to get up to speed fast on
                                                    information security issues and terminology. You don’t just learn
Who Should Attend                                   about security; you learn how to manage security.
•		 his	course	is	designed	and	
  taught	for	mid-level	to	C-level	                  Lecture	sections	are	intense;	the	most	common	
  managers	and	leaders.	It	will	give	               student	comment	is	that	it’s	like	drinking	from	
  you	the	ability	to	better	manage	                 a	fire	hose.		The	diligent	manager	will	learn	
  IT	projects	in	a	secure	manner.
                                                    vital,	up-to-date	knowledge	and	skills	required	
•		 nyone	with	8570	information	
                                                    to	supervise	the	security	component	of	any	
  assurance	management	
  responsibilities                                  information	technology	project.		Additionally,	the	
•		 enior	executives		
                                                    course	has	been	engineered	to	incorporate	the	
                                                    NIST	Special	Papers	800	guidance	so	that	it	can	be	
•		 ice	presidents		                                                                                    AUTHoR STATEMENT
                                                    particularly	useful	to	US	Government	managers	
•		 ecurity	or	assurance	officers	and	
                                                    and	supporting	contractors.                         wHen sAns designed tHe security
                                                    Essentials topics covered in this management       leAdersHiP essentiAls for mAnAgers
•		 pwardly	mobile	managers	
                                                    course include	Network	Fundamentals	and	           witH knowledge comPression™ course,

   Get GSLC Certified                               Applications,	Power,	Cooling	and	Safety,	          we cHose to emulAte tHe formAt utilized

                                                    Architectural	Approaches	to	Defense	in	Depth,	     By mAny executive mBA ProgrAms. wHile
                                                    Cyber	Attacks,	Vulnerability	Assessment	and	       core source mAteriAl is derived from
                                                    Management,	Security	Policies,	Contingency	and	
                                                                                                       our HigHly regArded sAns security
                                                    Continuity	Planning,	Awareness	Management,	
                                                                                                       essentiAls ProgrAm, we decided to
                                                    Risk	Management	Analysis,	Incident	Handling,	
                                                    Web	Application	Security,	Offensive	and	Defensive	 focus tHis ProgrAm on tHe Big Picture
                                                    Information	Warfare,	culminating	with	our	         of securing tHe enterPrise: network
   Reinforce what you learned
    in training and prove your
                                                    Management	Practicum.                              fundAmentAls, security tecHnologies,

   skills and knowledge with a                      The	material	uses	Knowledge	Compression™,	                      using cryPtogrAPHy, defense in dePtH,
         GSLC certification.
                                                    special	charts,	and	other	proprietary	SANS	                     Policy      develoPment,     And     mAnAge-
                                                    techniques	to	help	convey	the	key	points	of	                    ment PrActicum.       ultimAtely,   tHe goAl
                                                    critical	slides	and	keep	the	information	flow	                  of   tHis   ProgrAm    is   to   ensure   tHAt
                                                    rate	at	a	pace	senior	executives	demand	every	
                                                                                                                    mAnAgers cHArged witH tHe resPonsi-
                                                    teaching	hour	of	the	course.		Only	SANS	top	
                                                                                                                    Bility for informAtion security cAn mAke
                                                    instructors	with	management	experience	are	
                                                                                                                    informed cHoices And decisions tHAt will
                                                    invited	to	teach	this	course,	and	you	will	be	able	
                                                    to	put	what	you	learn	into	practice	the	day	you	                imProve tHeir orgAnizAtion’s security.

                                                    get	back	into	the	office.                                       - stePHen nortHcutt
                                                                Please note that some course material for SEC401 and MGT512
                                                              may overlap. We recommend SEC401 for those interested in a more
      LAPToP                                                  technical course of study and MGT512 for those primarily interested
     REqUIRED                                                    in a leadership-oriented but less technical learning experience.

30     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                To register for SANS NETWORK SECURITY 2008, visit
Security Leaders and Managers earn the highest salaries (well over six figures) in information security
and are near the top of IT. Needless to say, to work at that compensation level, excellence is demanded. These days,
security managers are expected to have domain expertise as well as the classic project management, risk assessment,
and policy review and development skills.

512.1 Managing the Plant, Network,
      and Information Architecture*
The	course	starts	with	a	whirlwind	tour	of	the	information	an	effective	IT	security	manager	
must	know	to	function	in	today’s	environment.		We	will	cover	safety,	physical	security,	and	how	
networks	and	the	related	protocols,	like	TCP/IP,	work	and	equip	you	to	review	network	designs	for	
performance,	security,	vulnerability	scanning,	and	return	on	investment.		Learn	more	about	secure	IT	
operations	in	a	single	day	than	you	ever	thought	possible.
Topics: Budget	Awareness	and	Project	Management;	The	Network	Infrastructure;	Computer	and	Network	Addressing;	                       SANS Faculty Fellow
       IP	Terminology	and	Concepts;	Offensive	Vulnerability	Scanning;	Managing	Safety,	Physical	Security	and	the	                    Stephen Northcutt
       Procurement	Process
                                                                                                                                     Stephen	is	a	graduate	of	
512.2 Defense In Depth*                                                                                                              Mary	Washington	College.	
Learn	information	assurance	foundations,	which	are	presented	in	the	context	of	both	current	and	                                     Before	entering	the	field	of	
historical	computer	security	threats,	and	how	they	have	impacted	confidentiality,	integrity,	and	
availability.		You	will	be	taught	the	methods	of	attack	and	the	importance	of	managing	attack	                                       computer	security,	he	worked	
surface.	We	will	also	investigate	Web	application	security.                                                                          as	a	Navy	helicopter	search	
Topics: Mitnick	vs.	Shimomura;	Methods	of	Attack;	The	Intelligent	Network;	Defense	in	Depth;	Managing	Security	Policy;	              and	rescue	crewman,	white	
       Access	Control	and	Password	Management;	Web	Communications	and	Security;	Web	Security
                                                                                                                                     water	raft	guide,	chef,	martial	
512.3 Secure Communications*                                                                                                         arts	instructor,	cartographer,	
Examine	various	cryptographic	tools	and	technologies	and	how	they	can	be	used	to	secure	a	                                           and	network	designer.		
company’s	assets.		A	related	area	called	steganography,	or	information	hiding,	is	also	covered.	Learn	
how	malware	and	viruses	often	employ	cryptographic	techniques	in	an	attempt	to	evade	detection.                                      Stephen	is	author/coauthor	
Topics: Cryptography;	Wireless	Network	Security;	Steganography;	Operations	Security,	Defensive	and	Offensive	Methods                 of	Incident Handling Step-
                                                                                                                                     by-Step, Intrusion Signatures
512.4 The Value of Information*                                                                                                      and Analysis, Inside Network
On	this	day,	we	consider	the	most	valuable	resource	an	organization	has	–	its	information.		You	
will	learn	about	intellectual	property,	incident	handling,	and	to	identify	and	better	protect	the	                                   Perimeter Security, SANS
information	that	is	the	real	value	of	your	organization.		We	will	then	formally	consider	how	to	apply	                               Security Essentials,	and	
everything	we	have	learned	as	well	as	practice	briefing	management	on	our	risk	architecture.	
                                                                                                                                     Network Intrusion Detection
Topics: Managing	Intellectual	Property;	Incident	Handling	Foundations;	Information	Warfare;	Managing	Ethics;		
       IT	Risk	Management                                                                                                            3rd	edition.	His	newest	book	
                                                                                                                                     is	entitled	IT Ethics Handbook.		
512.5 Management Practicum*
                                                                                                                                     He	was	the	original	author	
In	the	fifth	and	final	day,	we	pull	it	all	together	and	apply	the	technical	knowledge	to	the	art	of	
management.		The	management	practicum	covers	a	number	of	specific	applications	and	topics	                                           of	the	Shadow Intrusion
concerning	information	security.		We’ll	explore	proven	techniques	for	successful	and	effective	
                                                                                                                                     Detection System	before	
management,	empowering	managers	to	immediately	apply	what	you’ve	been	taught	your	first	day	
back	at	the	office.                                                                                                                  accepting	the	position	
Topics: The	Mission;	Globalization;	IT	Business	and	Program	Growth;	Security	and	Organizational	Structure;		                         of	chief	for	information	
       The	Total	Cost	of	Ownership;	Negotiations;	Fraud;	Legal	Liability;	Privacy;	Technical	People
                                                                                                                                     warfare	at	the	Ballistic	Missile	
*This course is available to Management 512 participants only.
                                                                                                                                     Defense	Organization.		
                                                                                                                                     Stephen	currently	serves	
                                                                                                                                     as	the	president	of	the	
                “MGT512: The best offense is a best defense.”                                                                        SANS	Technology	Institute,	

                                              -tHomAs vAlerio, dod                                                                   a	postgraduate	security	

Visit for more detailed course descriptions and additional information.                  SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   31
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                   This course is designed to give you the knowledge and tools
9:00am–5:00pm		•		6	CPE/Day
                                                   you need to become a top-notch project manager and has
                                                   a focus on effective communication, human resources, and
                                                   quality management.
Who Should Attend
                                                   Throughout	the	week,	we	will	cover	all	aspects	of	
•		 ecurity	professionals	who	are	
  interested	in	understanding	the	                 project	management	from	planning	and	initiating	
  concepts	of	project	management                   projects	and	managing	cost,	time,	and	quality	while	
•		 anagers	who	want	to	under-
  M                                                your	project	is	active	to	completing,	closing,	and	
  stand	the	critical	areas	of	making	              documenting	as	your	project	finishes.		This	course	
  projects	successful                              follows	the	basic	project	management	structure	
•		 nyone	working	with	time,	cost,	
  A                                                from	the	Project	Management	Institute’s	Guide to
  quality,	and	risk	sensitive	projects	            the Project Management Body of Knowledge (PMBOK®                                    AUTHoR STATEMENT
  and	applications
                                                   Guide)	and	also	offers	specific	insight	and	techniques	                             mAnAging             ProJects           to     com-
•		 ecurity	professionals	and	manag-               to	help	you	get	the	job	done.		A	copy	of	the	Guide to
  ers	who	would	like	to	utilize	effec-                                                                                                 Pletion,        witH         An        Alert    eye
                                                   the Project Management Body of Knowledge (PMBOK®
  tive	communication	techniques	                                                                                                       o n Q uA l i t y , c o s t , A n d t i m e , i s
  and	proven	methods	to	relate	                    Guide) -	Third	Edition	is	provided	to	all	participants.		
                                                                                                                                       sometHing            most         of    us     need
  better	to	people	                                You	can	use	your	course	material	and	the	guidebook	
                                                   after	you	complete	the	class	to	help	you	prepare	for	                               to do on An ongoing BAsis.                       in
•		 nyone	who	is	interested	in	pre-
  paring	for	Project	Management	                   your	Project	Management	Professional	(PMP®)	Exam.                                   tHis     course,        we        BreAk      down
  Institute’s	–	Project	Management	
  Professional	(PMP®)	Exam                         The	project	management	process	is	broken	down	                                      ProJect        mAnAgement                into   its

                                                   into	core	process	groups	that	can	be	applied	                                       f u n d A m e n tA l c o m P o n e n t s A n d
                                                   across	multiple	areas	of	any	project.		The	course	
  Get GCPM Certified                               covers	cost,	time,	quality,	and	risk	management.		
                                                                                                                                       w o r k t o g A lvA n i z e yo u r u n d e r -

                                                                                                                                       s tA n d i n g o f t H e k e y c o n c e P t s
                                                   Time	management	with	projects	is	especially	
                                                                                                                                       witH      An    emPHAsis           on     PrActi-
                                                   dangerous	since	many	project	activities	have	
                                                   complex	relationships	with	each	other.		Although	                                   c A l A P P l i c At i o n A n d e x e c u t i o n .

                                                   cost	management	is	omnipresent	in	any	business,	                                    since     ProJect mAnAgers sPend
                                                   effectively	managing	the	costs	of	a	project	is	often	                               t H e vA s t m A J o r i t y o f t H e i r t i m e
                                                   a	differentiating	factor	between	projects	that	
                                                                                                                                       c o m m u n i c At i n g     witH         otHers,
   Reinforce what you learned
                                                   come	to	fruition	and	those	that	fail.		The	quality	
                                                                                                                                       we focus on trAits And tecH-
    in training and prove your                     section	covers	quality	assurance	programs	in	depth	
   skills and knowledge with a                     and	highlights	the	concept	of	continual	process	                                    niQues       t H At    enABle           effective

        GCPM certification.                        improvement.		We	go	into	a	great	amount	of	detail	                                  c o m m u n i c At i o n .     witH          PeoPle
                             with	human	resource	management	as	well	as	                                          Being tHe most criticAl Asset in
                                                   effective	communication.		People	resources	are	the	                                 yo u r P r o J e c t m A n A g e m e n t A r -
                                                   most	valuable,	and	the	communication	and	conflict	
                                                                                                                                       senAl, effective And tHorougH
                                                   resolution	techniques	presented	can	be	used	in	all	
                                                                                                                                       c o m m u n i c At i o n      is       essentiAl.
                                                   areas	of	professional	work.		Above	all,	projects	fail	
                                                   or	succeed	because	of	the	people	involved.		You	                                    -J e f f f r i s k
                                                   want	to	make	sure	the	people	involved	with	the	
                                                   development	and	execution	of	your	project	build	a	
                                                   strong	team	and	communicate	effectively.
             MSISM                                 PMBOK®	and	PMP®	are	registered	trademarks	of	the	Project	Management	Institute.

32    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                                 To register for SANS NETWORK SECURITY 2008, visit
Project Management and Effective Communications for Security Professionals
and Managers will give you the tools to hone your communication skills and enable you to succeed in
managing projects where quality, cost, and time are driving factors.

525.1 Project Management Structure and Framework*
This	course	offers	insight	and	specific	techniques	that	both	beginner	and	experienced	project	manag-
ers	can	utilize.		The	structure	and	framework	section	lays	out	the	basic	architecture	and	organization	of	
project	management.		We	will	cover	the	common	project	management	group	processes,	the	differ-
ence	between	projects	and	operations,	project	life	cycles,	and	managing	project	stakeholders.	
Topics: Definition	of	Terms	and	Process	Concepts;	Group	Processes;	Project	Life	Cycle;	Types	of	Organizations;	PDCA	Cycle

525.2 Project Charter and Scope Management*
During	day	two,	we	cover	project	charter	and	scope	management.		We	will	go	over	techniques	used	to	
                                                                                                                                        Certified Instructor
develop	the	project	charter	and	formally	initiate	a	project.		The	scope	portion	defines	the	important	
input	parameters	of	project	management	and	gives	you	the	tools	to	ensure	that	from	the	onset	                                           Jeff Frisk
your	project	is	well	defined.		We	cover	tools	and	techniques	that	will	help	you	define	your	project’s	                                  Jeff	currently	serves	as	the	
deliverables	and	develop	milestones	to	gauge	performance	and	manage	change	requests.                                                    director	of	GIAC.		He	has	
Topics: Formally	Initiating	Projects;	Project	Charters;	Project	Scope	Development;	Work	Breakdown	Structures;	Scope	
       Verification	and	Control                                                                                                         worked	on	many	projects	
                                                                                                                                        for	SANS	including	the	
525.3 Time and Cost Management*                                                                                                         OnDemand	product,	
Our	third	day	details	the	time	and	cost	aspects	of	managing	a	project.		We	will	cover	the	importance	
of	correctly	defining	project	activities,	project	activity	sequence,	and	resource	constraints.		We	will	use	                            courseware	development,	
milestones	to	set	project	timelines	and	task	dependencies	along	with	learning	methods	of	resource	al-                                   and	GIAC	certification	and	
location	and	scheduling.		We	introduce	the	difference	between	resource	and	product	related	costs	and	                                   exam	development.		Jeff	
go	into	detail	on	estimating,	budgeting,	and	controlling	costs.		You	will	learn	techniques	for	estimating	
project	cost	and	rates	as	well	as	budgeting	and	the	process	for	developing	a	project	cost	baseline.                                     has	an	engineering	degree	
Topics: Process	Flow;	Task	Lead	and	Lag	Dependencies;	Resource	Breakdown	Structures;	Task	Duration	Estimating;	Critical	                from	The	Rochester	Institute	
       Path	Scheduling;	Cost	Estimating	Tools;	Cost	vs.	Quality;	Cost	Base	Lining;	Earned	Value	Analysis	and	Forecasting
                                                                                                                                        of	Technology	and	more	
525.4 Communications and Human Resources*                                                                                               than	10	years	of	IT	project	
During	day	four,	we	move	into	human	resource	management	and	building	effective	communications	                                          management	experience	
skills.		People	are	the	most	valuable	asset	of	any	project	and	we	cover	methods	for	identifying,	acquiring,	                            with	computer	systems,	high-
developing,	and	managing	your	project	team.	Performance	appraisal	tools	are	offered	as	well	as	conflict	
management	techniques.		You	will	learn	management	methods	to	help	keep	people	motivated	and	pro-                                        tech	consumer	products,	
vide	great	leadership.		The	effective	communication	portion	of	the	day	covers	identifying	and	develop-                                  and	business	development	
ing	key	interpersonal	skills.		We	cover	organizational	communication	and	the	different	levels	of	commu-                                 initiatives.		Jeff	has	held	
nication	as	well	as	describe	common	communication	barriers	and	tools	to	overcome	these	barriers.
Topics: Acquiring	and	Developing	Your	Project	Team;	Organizational	Dependencies	and	Charts;	Roles	and	Responsibilities;	Team	           various	positions	including	
       Building;	Conflict	Management;	Interpersonal	Communication	Skills;	Communication	Models	and	Effective	Listening                  operations	management,	
525.5 Quality and Risk Management*                                                                                                      product	development,	
                                                                                                                                        electronic	systems,	and	
Day	five	focuses	on	quality	and	risk.		You	will	become	familiar	with	quality	planning,	quality	assurance,	
and	quality	control	methodologies	as	well	as	learning	the	cost	of	quality	concept	and	its	parameters.		                                 computer	engineering.		
We	define	quality	metrics	and	cover	tools	for	establishing	and	benchmarking	quality	control	programs.	                            	     He	has	many	years	of	
We	go	into	quality	assurance	and	auditing	as	well	as	using	and	understanding	quality	control	charts.	
The	risk	section	goes	over	known	vs.	unknown	risks	and	how	to	identify,	assess,	and	categorize	risk.		We	                               international	and	high-level	
use	quantitative	risk	analysis	and	modeling	techniques	so	that	you	can	fully	understand	how	specific	                                   business	experience	working	
risks	affect	your	project.		You	will	learn	ways	to	plan	for	and	mitigate	risk	by	reducing	your	exposure	as	                             with	high-tech	companies	to	
well	as	being	able	to	take	advantage	of	risks	that	could	have	a	positive	effect	on	your	project.
                                                                                                                                        develop	computer	hardware	
Topics: Cost	of	Quality;	Quality	Metrics;	Continual	Process	Improvement;	Quality	Baselines;	Quality	Control;	Change	Control;	Risk	
       Identification;	Risk	Assessment;	Time	and	Cost	Risks;	Risk	Probability	and	Impact	Matrices;	Risk	Modeling	and	Response           and	software	products.	

525.6 Procurement and Project Integration*
We	close	out	the	week	with	the	procurement	aspects	of	project	management	and	then	integrate	all	of	                                    “The instructor and course
the	concepts	presented	thus	far	into	a	solid,	broad	reaching	approach.		We	cover	contract	basics	and	
different	types	of	contracts,	then	the	make	vs.	buy	decision	process.		We	go	over	ways	to	initiate	strong	
                                                                                                                                       were up to the usual SANS
request	for	quotations	(RFQ)	and	develop	evaluation	criteria,	then	qualify	and	select	the	best	partners	                                high standard. What sets
for	your	project.	The	final	session	integrates	everything	we	have	learned	by	bringing	all	the	topics	
together	with	the	common	process	groups.		Using	detailed	project	management	methodology,	we	
                                                                                                                                      the course apart from others
learn	how	to	finalize	the	project	management	plan	and	then	execute	and	monitor	the	progress	of	your	                                     is being in a classroom
project	to	ensure	success.
Topics: Contract	Types;	Make	vs.	Buy	Analysis;	Vendor	Weighting	Systems;	Contract	Negotiations;	Project	Execution;	
                                                                                                                                       with fellow IT professionals
       Monitoring	Your	Projects	Progress;	Finalizing	Deliverables;	Forecasting	and	Integrated	Change	Control                             and being able to share
*This course is available to Management 525 participants only.                                                                                 experiences.”
                                                                                                                                               -eric inouye, sPAwAr

Visit for more detailed course descriptions and additional information.                     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   33
   Five-Day Program                                           IAM Level I of the Department of Defense’s Baseline Certification for 8570
 Mon, Sept 29 – Fri, oct 3, 2008
9:00am–5:00pm		•		6	CPE/Day                        SANS is the “MIT of Information Security,” and this introductory
                                                   certification course is the fastest way to get up to speed in
                                                   information security.
Who Should Attend                                  Written	and	taught	by	battle-scarred	security	
•		 rofessionals	who	need	to	hit	
  P                                                veterans,	this	entry-level	course	covers	a	broad	
  the	ground	running	and	need	an	                  spectrum	of	security	topics	and	is	liberally	
  overview	of	information	assurance                sprinkled	with	real	life	examples.		A	balanced	
•		 anagers,	information	security	
  M                                                mix	of	technical	and	managerial	issues	makes	
  officers,	and	system	administrators	             this	course	appealing	to	attendees	who	need	
  who	need	an	overview	of	risk	                    to	understand	the	salient	facets	of	information	
  management	and	defense	in	                       security	and	risk	management.		Organizations	                AUTHoR STATEMENT
  depth	techniques
                                                   often	tap	someone	who	has	no	information	                    A    good friend of mine once sAid ,
•		 nyone	who	writes,	implements,	                 security	training	and	say,	“Congratulations,	you	            “A   lit tle securit y is Bet ter tHAn no
  or	must	adhere	to	policy,	disaster	
                                                   are	now	a	security	officer.”		If	you	need	to	get	            securit y .” i f your orgAnizAtion is in
  recovery,	or	business	continuity
                                                   up	to	speed	fast,	Security	301	rocks!                        eitHer situAtion ( lit tle or no securit y )

                                                                                                                And you wAnt to mAke A difference in
                                                   We	begin	by	covering	basic	terminology	
                                                   and	concepts,	and	then	move	to	the	basics	                   A Positive wAy , tHis course is A greAt

                                                                                                                PlAce to stArt . i f your orgAnizAtion
   Get GISF Certified                              of	computers	and	networking	as	we	discuss	
                                                   Internet	Protocol,	routing,	Domain	Name	                     HAs AlreAdy mAde An investment in

                                                   Service,	and	network	devices.		We	cover	                     securit y , tHis is A greAt oPPortunit y

                                                   the	basics	of	cryptography,	and	wireless	                    to comPAre notes witH otHers And

                                                   networking,	then	we	look	at	policy	as	a	tool	to	             identify How to mAximize tHe return

                                                   effect	change	in	your	organization.		In	the	final	           on your investment . i n          1995, i           Agreed

                                                   day	of	the	course,	we	put	it	all	together	with	an	           to fill tHe Position of                “ numBer         one

                                                   introduction	to	defense	in-depth.                            sPeAr   cAtcHer ”         ( tHe    HeAd         securit y
   Reinforce what you learned                                                                                   guy ) for our orgAnizAtion .                    i    Asked
    in training and prove your                     If	you’re	a	newcomer	to	the	field	of	information	
                                                   security,	this	is	the	course	for	you!		You	will	             ABout trAining And my Predecessor
   skills and knowledge with a
         GISF certification.                       develop	the	skills	to	bridge	the	gap	that	                   told    me       tHAt     tHe     Agency            would
                             often	exists	between	managers	and	system	                    Provide trAining , But suggested tHAt

                                                   administrators,	and	learn	to	communicate	                    i   work for six montHs to get some

                                                   effectively	with	personnel	in	all	departments	               “ reAl - world        exPerience           to   comPAre

                                                   and	at	all	levels	within	your	organization.                  AgAinst tHe tHeory .”             it       wAs A long

                                                                                                                And frustrAting six montHs And tHe
                                                   This	is	the	course	SANS	offers	for	the	
   “I now feel prepared and                                                                                     trAining wAs less tHAn HelPful .                         A
                                                   professional	just	starting	out	in	security.		If	you	
  confident to question the                                                                                     few yeArs lAter wHen              sAns          offered
                                                   have	experience	in	the	field,	please	consider	
 security environment. And                         our	more	advanced	offerings	such	as	SEC401:	                 to let me HelP write And teAcH tHis

 I have been equipped with                         SANS	Security	Essentials	Bootcamp	Style.                     course ,     i   literAlly        JumPed         At     tHe

 the tools required to do my                                                                                    oPPortunit y .        e very   time    i   teAcH it ,   i’ m
      job more efficiently.”                                                                                    excited And       i   enJoy it As mucH As tHe

                                                                                                                At tendees .     it’s    Been very grAtifying .
          -melAnie dodson,
                                                                                                                -f red k erBy

34    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008              To register for SANS NETWORK SECURITY 2008, visit
Intro to Information Security is our entry-level course. It was developed by some of the most effective security managers
in the business. It starts with terminology and concepts and then blasts straight into applications and security management
problem solving. A basic level security officer typically earns from $40,000 to $60,000 and can grow to the $60,000 to $80,000
range in large organizations with strong security programs.

301.1 	A Framework for Information Security
Information	security	is	based	upon	foundational	concepts	such	as	asset	value,	the	CIA	triad	
(confidentiality,	integrity,	and	availability),	principal	of	least	privilege,	access	control,	and	separation	of	
risk.		Day	one	provides	a	solid	understanding	of	the	terms,	concepts,	and	tradeoffs	that	will	enable	you	
to	work	effectively	within	the	information	security	landscape.		If	you	have	been	in	security	for	a	while,	
these	chapters	will	be	a	refresher,	providing	new	perspectives	on	some	familiar	issues.
Topics: Basic	Concepts	(Value	of	Assets,	Security	Responsibilities,	IA	Pillars	and	Enablers,	IA	Challenges,	Trust	and	Security);	
       Principles	(Least	Privilege,	Defense	in	Depth,	Separation	of	Risk,	Kerckhoff’s	Principle);	Security	as	a	Process	(Analysis,	
       Protection,	Detection,	Response)                                                                                                  Senior Instructor
                                                                                                                                         Fred Kerby
301.2 Securing the Infrastructure                                                                                                        Fred	is	an	engineer,	manager,	
To	appreciate	the	risks	associated	with	being	connected	to	the	Internet,	one	must	have	a	basic	                                          and	security	practitioner	
understanding	of	how	networks	function.		Day	two	covers	the	basics	of	networking	including	
encapsulation,	hardware	and	network	addresses,	name	resolution,	and	address	translation.		We	
                                                                                                                                         whose	experience	spans	
explore	some	typical	attacks	against	the	networking	and	computing	infrastructure	along	with	                                             several	generations	of	
appropriate	countermeasures.                                                                                                             networking.		He	is	the	infor-
Topics: Terms	(Encapsulation,	Ports,	Protocols,	Addresses,	Network	Reference	Models	-	stacks);	Addressing	(Hardware,	
       Network,	Resolution,	Transport	Protocols,	TCP,	UDP);	Other	Protocols	(ARP,	ICMP,	Routing	Basics,	The	Local	Network,	              mation	assurance	manager	
       Default	Gateway);	Network	Components	(Hubs,	Switches,	Routers,	Firewalls,	Component	Management	-	SNMP);	                          at	the	Naval	Surface	Warfare	
       Attacks	and	Countermeasures	(Attack	Theory,	Types	of	Attacks,	Countermeasures)
                                                                                                                                         Center,	Dahlgren	Division	
301.3 Cryptography and Security in the Enterprise                                                                                        and	has	vast	experience	with	
Cryptography	can	be	used	to	solve	a	number	of	security	problems.		Cryptography	and	Security	in	the	                                      the	political	side	of	security	
Enterprise	provides	an	in-depth	introduction	to	a	complex	tool,	cryptography,	using	easy	to	under-
                                                                                                                                         incident	handling.	His	team	
stand	examples	and	avoiding	complicated	mathematics.		Attendees	will	gain	meaningful	insights	into	
the	benefits	of	cryptography	(along	with	the	pitfalls	of	a	poor	implementation	of	good	tools).		The	day	                                 is	one	of	the	recipients	of	the	
continues	with	an	overview	of	the	security	organization	in	a	typical	company.	Where	does	security	fit	                                   SANS	Security	Technology	
in	the	overall	organizational	scheme?	What	is	its	charter?		What	other	components	of	the	larger	orga-
                                                                                                                                         Leadership	Award	as	well	as	
nization	must	it	interact	with?		We	conclude	the	day	with	a	whirlwind	overview	of	wireless	networking	
technology	benefits	and	risks,	including	a	roadmap	for	reducing	risks	in	a	wireless	environment.                                         the	Government	Technology	
Topics: Cryptography	(Cryptosystem	Components,	Cryptographic	Services,	Algorithms,	Keys,	Cryptographic	Applications,	                    Leadership	Award.		Fred	
       Implementation);	Security	in	the	Enterprise	(Organizational	Placement,	Making	Security	Possible,	Dealing	with	
       Technology,	Security	Perspectives,	Organizational	Relationships,	Building	a	Security	Program);	Wireless	Network	                  received	the	Navy	Merito-
       Security	(Wireless	Use	and	Deployments,	Wireless	Architecture	and	Protocols,	Common	Misconceptions,	Top	4	
       Security	Risks,	Steps	to	Planning	a	Secure	WLAN)
                                                                                                                                         rious	Civilian	Service	Award	
                                                                                                                                         in	recognition	of	his	technical	
301.4 Information Security Policy                                                                                                        and	management	leadership	
Day	four	will	empower	those	with	the	responsibility	for	creating,	assessing,	approving,	or	                                              in	computer	and	network	
implementing	security	policy	with	the	tools	and	techniques	to	develop	effective,	enforceable	
                                                                                                                                         security.	A	frequent	speaker	
policy.		Information	Security	Policy	demonstrates	how	to	bring	policy	alive	by	using	tools	and	
techniques	such	as	the	formidable	OODA	(Orient,	Observe,	Decide,	Act)	model.		We	also	explore	risk	                                      at	SANS,	Fred’s	presenta-
assessment,	management	guidelines,	and	sample	policies	as	well	as	examples	of	policy	and	perimeter	                                      tions	reflect	his	opinions	and	
                                                                                                                                         are	not	the	opinions	of	the	
Topics: The	OODA	Model;	Security	Awareness;	Risk	Management	Policy	for	Security	Officers;	Developing	Security	Policy;	
       Assessing	Security	Policy;	Applying	What	We	Have	Learned	on	the	Perimeter;	Perimeter	Policy	Assessment                            Department	of	the	Navy.

301.5 Defense In Depth: Lessons Learned                                                                                                 “I felt the real-world stories
The	goal	of	day	five	is	to	enable	managers,	administrators,	and	those	in	the	middle	to	strike	a	
balance	between	“security”	and	“getting	the	job	done.”		We’ll	explore	how	risk	management	deals	                                         Fred Kerby told during the
with	more	than	security	and	how	the	ISO-OSI	model	may	have	an	eighth	layer	(political)	impacting	
                                                                                                                                         class really helped put the
communications	and	transmission.		It	is	replete	with	war	stories	from	the	trenches	that	illustrate	the	
TSP	(Tie	to	Sandal	Protocol)	used	by	successful	security	professionals	worldwide.                                                           material in context.”
Topics: The	Site	Security	Plan;	Computer	Security;	Application	Security;	Incident	Handling;	Making	the	Most	of	Your	                         -micHelle l. duPrey,
       Opportunities	with	Others;	Measuring	Progress
                                                                                                                                          AmericAn student AssistAnce

Visit for more detailed course descriptions and additional information.                      SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   35
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                             IAT Level II of the Department of Defense’s Baseline Certification for 8570
     Days	1-5:	8	CPE/Day	                           This course is endorsed by the Committee on National Security Systems (CNSS) NSTISSI 4013
      Day	6:	6	CPE/Day	                             Standard for Systems Administrators in Information Systems Security (INFOSEC).
 Evening	Bootcamp	Sessions:		
       5:15pm-7:00pm                                Maximize your training time and
                                                    turbo-charge your career in security by
Who Should Attend
•		 ecurity	professionals	who	want	to	
  S                                                 learning the full SANS Security Essentials
  fill	the	gaps	in	their	understanding	
  of	technical	information	security                 curriculum needed to qualify for the
•		 etwork	engineers	wanting	to	enter	
  N                                                 GSEC certification.
  the	field	of	security
•		 ecurity	engineers/admins	and	
  S                                                 Security	Essentials	was	designed	to	give	anyone	
  managers	or	others	wanting	a	more	                working	or	interested	in	network	security	the	critical	
  detailed	understanding	of	the	
  technical	components	of	security
                                                    knowledge	needed	to	be	an	effective	player	in	this	               AUTHoR STATEMENT
•		 nyone	new	to	information	security	
  A                                                 space.		The	critical	components	of	network	security	              o ne of tHe tHings i love to                    HeAr

  with	some	background	in	informa-                  have	been	bundled	together	in	this	in-depth,	                     from students After teAcHing                     se-
  tion	systems	and	networking                       comprehensive	course.		It	provides	the	essential,	                curit y       401   is ,   “i   HAve worked in
•		ndividuals	with	operational	                                                                                       securit y for mAny yeArs , And After
                                                    up-to-the-minute	knowledge	and	skills	required	for	
  responsibility	for	a	firewall,	VPN,	or	
  Internet	facing	device                            effective	performance	when	given	the	responsibility	              tAking tHis course                  i   reAlized How

                                                    for	securing	systems	and/or	organizations.		It	also	              mucH      i            w itH tHe
                                                                                                                                    did not know .”

   Get GSEC Certified                               gives	you	the	language	and	underlying	theory	of	                  lAtest version of sAns s ecurit y

                                                    computer	security,	all	taught	by	the	best	security	               e ssentiAls B ootcAmP s t yle , we
                                                                                                                      HAve reAlly cAPtured tHe criticAl
                                                    instructors	in	the	industry.	
                                                                                                                      AsPects of securit y And enHAnced
                                                                                                                      tHose toPics witH exAmPles to drive
                                                                                                                      Home tHe key Points . A fter At tend -

                                                       b O O T                           C A M P                      ing tHis course ,               i       Am confident
                                                                                                                      you will wAlk AwAy witH solutions
                                                                                                                      to ProBlems you HAve HAd for A
   Reinforce what you learned
    in training and prove your                                  Security 401 PARTICIPANTS ONLY                        wHile Plus solutions to ProBlems

   skills and knowledge with a                            5:15pm - 7:00pm - Required — Course Days 1-5                you did not even know you HAd .
         GSEC certification.                         Attendance	is	required	for	the	evening	bootcamp	sessions	        - d r . e ric c ole , P H d
                               (each	evening	for	days	1-5)	as	the	information	presented	
                                                     appears	on	the	GIAC	Exams.		The	material	covered	in	these	
                                                                                                                      Please note that some course material
                                                     sessions	is	based	on	Dr.	Eric	Cole’s	“cookbook	for	geeks”	       for SEC401 and MGT512 may overlap.
                                                     and	most	students	find	bootcamp	to	be	the	highlight	of	          We recommend SEC401 for those in-
                                                     their	Security	Essentials	experience!		Apply	the	knowledge	      terested in a more technical course of
                                                     gained	throughout	the	course	in	an	instructor-led	               study and MGT512 for those primarily
                                                     environment.		Students	will	have	the	opportunity	to	             interested in a leadership-oriented
                                                     install,	configure,	and	use	the	tools	and	techniques	they	       but less technical learning experience.
                                                     have	learned.		CDs	containing	the	software	required	will	
                                                     be	provided	for	each	student.		Students	should	arrive	
              MSISE                                  with	a	laptop	that	has	both	a	Red	Hat	9.0	partition	and	
                               a	Windows	XP	partition.		A	working	knowledge	of	each	
                                                     operating	system	is	recommended	but	not	required	to	get	
                                                     a	great	deal	of	knowledge	from	the	course.		For	students	         SANS Security Essentials Bootcamp
      LAPToP                                         who	do	not	wish	to	build	a	dual	boot	machine,	SANS	will	            Style is a bridge to our technical
     REqUIRED                                        provide	a	bootable	Linux	CD	for	the	Linux	exercises.              courses Audit 507 and Security 502,                                                                                                 503, 504, 505, 506, and 508.

36     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008               To register for SANS NETWORK SECURITY 2008, visit
Security Essentials is our most popular training program. We strongly recommend you attend the evening bootcamp
sessions with hands-on exercises. These require the dedication to really put in the hours, but they can help you fill in the gaps
in your information security knowledge. Everyone, except truly seasoned hands-on information security workers, can benefit
from SANS Security Essentials Bootcamp Style. A GSEC Certification can add 6-9% to your bottom line salary.

401.1 Networking Concepts
Day	one	teaches	you	how	networks,	routers,	firewalls,	and	the	related	protocols	like	TCP/IP	work	so	you’ll	be	better	
prepared	to	determine	hostile	traffic	and	have	a	foundation	for	the	succeeding	days’	training.		
Network Fundamentals                     IP Concepts II                           VOIP                                    Physical Security
 •		 ypes	of	Networks                       K
                                          •		 ey	Protocols                           O
                                                                                   •		 verview	of	VOIP                       T
                                                                                                                           •		 hreats	to	Physical	Safety
 •		 hysical	and	Logical	Topologies         U
                                          •		 DP	Protocols	and	Applications          V
                                                                                   •		 OIP	Threats	and	Security	Risks        E
                                                                                                                           •		 vacuation	Procedures	and	
 •		 AN	and	WAN	Protocols
   L                                      •		 CP	Protocols	and	Applications
                                            T                                      •		 ros	and	Cons	of	VOIP
                                                                                     P                                       Roles
 •		 etwork	Devices
   N                                      •		 uaranteed	and	Not	Guaranteed	
                                            G                                      •		 ypes	of	Architectures
                                                                                     T                                       P
                                                                                                                           •		 ower	and	Cooling	Issues	and	
                                            Communication                                                                    Solutions
 •		 dvanced	Switches	and	VLANS                                                      S
                                                                                   •		 ignaling	Protocols	–	SIP	&	H.323
                                          •		 hree-way	Handshake
                                            T                                                                                D
                                                                                                                           •		 eterring,	Detecting,	and	
 •		 etwork	Design                                                                   M
                                                                                   •		 edia	Protocols	–	RTP
                                                                                                                             Preventing	Physical	Access
                                          •		 ample	Uses                             E
                                                                                   •		 thereal	Analysis	and	Decodes
IP Concepts I                                                                                                                R
                                                                                                                           •		 estricted	Areas
                                          •		CMP	Protocol	and	Uses                   C
                                                                                   •		 hallenges	and	Solutions	of	
 •		 SI	and	TCP/IP	Protocol	Stacks                                                                                           P
                                                                                                                           •		 erforming	a	Safety	
                                          •		 roubleshooting	Techniques	             VOIP
 •		P	Protocol	and	Header
   I                                                                                                                         Walkthrough
                                            with	Ping	and	Traceroute                 G
                                                                                   •		 uide	to	Securing	VOIP
 •		 etwork	Addressing                                                                                                    Bootcamp
 •		 ubnet	Masks	and	CIDR	
                                         Protocol Analysis                        Routing Fundamentals                       I
                                                                                                                           •		ntroduction	to	Operating	
   Notation                                 A
                                          •		 nalysis	of	Switches	and	hubs           K
                                                                                   •		 ey	Characteristics	of	Routers	        Systems
 •		 inary	and	Hex	Numbering                S
                                          •		 niffing	and	Sniffers                   and	How	They	Work
                                                                                                                           •		 noppix
 •		Pv6	Header	and	Uses                     P
                                          •		 erforming	Analysis	with	Sniffers       M
                                                                                   •		 AC	Addresses,	IP	Addresses,	
                                                                                                                           •		 cpdump
                                          •		 anual	Decodes	of	IP	and	TCP	
                                            M                                        and	ARP
 •		 NS	Queries	and	Attacks                                                                                                  E
                                                                                                                           •		 thereal
                                            Headers                                  S
                                                                                   •		 imple	and	Complex	Routing
                                                                                                                           •		 onfig	Maker
                                          •		 ips	and	Tricks	for	Packet	             R
                                                                                   •		 outing	Protocols	–	BGP
                                            Decoding                                 F
                                                                                   •		 iltering	Traffic	with	Routers
                                          •		 issection	of	TCP	&	How	it	Works        K
                                                                                   •		 ey	DMZ	Filtering	Rules

401.2 Defense In Depth
Day	two	covers	security	threats	and	their	impact,	including	information	warfare.		It	also	covers	sound	security	policies	and	
password	management	tools,	the	six	steps	of	incident	handling,	and	Web	server	security	testing.
Defense in Depth                                      Access Control & Password                             Information Warfare
 •		 isk	Formula	and	Calculating	Risk
   R                                              Management                                                   T
                                                                                                             •		 ools	of	Information	Warfare	and	Blended	
 •		 onfidentiality,	Integrity,	and	Availability
   C                                                 A
                                                   •		 ccess	Control,	Data	Owner,	Data	Custodian               Attacks
 •		 ive	Primary	Threat	Vectors
   F                                                 A
                                                   •		 pproaches	and	Techniques	for	Data	                      S
                                                                                                             •		 ample	Attacks	and	Defenses
 •		 niform	Protection,	Protected	Enclaves,	         Classification                                            T
                                                                                                             •		 errorism	Lifecycle
   Information	centric	and	threat	vector	analysis •		 iscretionary,	Mandatory,	Role-based,	Rule-               I
                                                                                                             •		ndications,	Warnings,	and	Measure	of	
 •		dentity,	Authentication,	Authorization,	and	     based	List,	and	Token-based	Access	Control                Effectiveness
   Accountability                                    S
                                                   •		 ingle	Sign	On                                           O
                                                                                                             •		 ffensive	Operation	Goals	and	Defenses
 •		 east	Privilege,	Need	to	Know,	Separation	of	 •		 hallenge	Handshake	Authentication
   L                                                                                                        Web Communications and Security
   Duties,	and	Rotation	of	Duties                    T
                                                   •		 ACACS+	and	RADIUS
                                                                                                             •		 ulti-Tiered	Architecture	Approach
 •		 irus	and	Worms	and	How	They	Work                P
                                                   •		 assword	Cracking	and	Assessment
                                                                                                             •		 SL,	CGI,	and	HTML
 •		 alicious	Browser	Attacks	and	Spyware            R
                                                   •		 ainbow	Tables
                                                                                                             •		 et	and	Post	Commands
 •		 ybrid	Threat                                    P
                                                   •		 rotecting	Against	Password	Attacks
                                                                                                             •		 pyware,	Active	Content,	Cross-Site	Scripting,	
 •		 alware	Defense                                  P
                                                   •		 AM	and	Disabling	LANMAN                                 and	SQL	Injection
 •		 etasploit
                                                      Incident Response                                        T
                                                                                                             •		 racking	State	Attacks	and	Preventive	
Security Policy and Contingency                         •		ncidents	vs.	Events	and	How	to	Differentiate
                                                          I                                                    Measures
Planning                                                •		 ix-Step	Process	for	Handling	an	Incident-	
                                                          S                                                    A
                                                                                                             •		 pplication	Service	Providers	and	Service	
 •		 elling	and	Building	a	Security	Policy
   S                                                      Preparation,	Identification,	Containment,	           Level	Agreements
 •		 tandard,	Guidelines,	Policy,	and	Procedures
   S                                                      Eradication,	Recovery,	and	Lessons	Learned Bootcamp
 •		 ore	Components	of	a	Policy
   C                                                      K
                                                        •		 ey	Mistakes	in	Incident	Handling              D
                                                                                                        •		 umpsec
 •		 ample	Policy	Statements
   S                                                      R
                                                        •		 egulatory,	Criminal,	and	Civil	Law            P
                                                                                                        •		 olicy	Challenge
 •		 DA	and	Copyright	Issues
   N                                                      W
                                                        •		 arrants	and	Legal	Implications                C
                                                                                                        •		 ain	and	Abel
 •		 CP	and	DRP	Planning
   B                                                      B
                                                        •		 est	Evidence                                  J
                                                                                                        •		 ohn	the	Ripper
 •		 ey	Elements,	Components,	&	Steps	for	BCP/DRP
 •		 usiness	Impact	Analysis

Visit for more detailed course descriptions and additional information.             SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   37
401.3 Internet Security Technologies
Day	three	gives	you	a	roadmap	that	will	help	you	understand	the	tools	and	options	available	for	deploying	defensive	systems	
for	defense	in	depth.
Attack Strategies and                    Vulnerability Scanning                     Intrusion Detection                  Intrusion Prevention
Mitigation                                   R
                                           •		 ules	and	Tricks	for	Vulnerability	   Technologies                         Technologies
 •		 itnick-Shimomura	attack	
   M                                         Scanning                                  I
                                                                                     •		DS	overview                       I
                                                                                                                        •		PS	Overview	and	Uses
   analysis                                  R
                                           •		 econnaissance,	Resource	                H
                                                                                     •		 ost	and	network	based	           H
                                                                                                                        •		 ost-based	and	Network-based	
 •		 reventive	and	Detective	
   P                                         Protection,	and	Return	on	                techniques                         Comparison	
   Methods	and	Techniques                    Investment                                U
                                                                                     •		 sing	Snort	as	an	IDA             D
                                                                                                                        •		 evelopment	in	IPS
 •		 atch	Management
   P                                         R
                                           •		 OI	and	ROSI                             S
                                                                                     •		 ignature	Analysis,	Anomaly	      P
                                                                                                                        •		 roduct	Space
 •		 ommon	Attacks
   C                                         T
                                           •		 hreats	and	Vulnerabilities              Detection	and	Protocol	Behavior
                                           •		 ocial	Engineering
                                                                                                                       IT Risk Management
 •		 uffer	Overflows,	Race	                                                            D
                                                                                     •		 eep	and	Shallow	Packet	
   Conditions,	Interrupts,	Open	                                                       Inspection                         R
                                                                                                                        •		 isk	Analysis	Matrix
                                           •		 ack,	Legion,	Nmap,	Nessus,	
   Search	Searching,	Rootkits                Kismet,	and	Other	Scanning	Tools        •		 evelopment	and	Advances	in	
                                                                                       D                                  S
                                                                                                                        •		 ingle	Loss	Expectancy
 •		 irewalls	and	Honeypots
   F                                       •		 S	Fingerprinting
                                             O                                         NIDS                               A
                                                                                                                        •		 nnualized	Loss	Expectancy
 •		 ses	and	Benefits	of	Firewalls
   U                                       •		 ean,	Methods,	and	Techniques	
                                             M                                         F
                                                                                     •		 ile	Integrity	Checking           M
                                                                                                                        •		 ulti-step	Process	for	Risk	
 •		 acket	Filtering,	Stateful	and	
   P                                         for	Port	and	Vulnerability	             •		 ros	and	Cons	of	HIDS
                                                                                       P                                  Analysis
   Proxy	Firewalls                           Scanning                                •		 inetd,	Port	Sentry,	Syslog,	
                                                                                       X                                  Q
                                                                                                                        •		 ualitative	vs.	Quantitative	Risk	
 •		 esign	Decisions	and	Filtering	
   D                                         K
                                           •		 ismet,	Netstumbler,	and	Wireless	       Tripwire,	andOther	HIDS	Tools      Assessment
   Techniques                                Scanning                                •		nternet	Storm	Center
                                                                                       I                                  I
                                                                                                                        •		nternal	and	External	Attacks
 •		 etwork	Address	Translation
   N                                         W
                                           •		 ar	Driving                                                                 P
                                                                                                                        •		 erforming	Cost	Benefit	Analysis
 •		 ersonal	Firewalls
   P                                         P
                                           •		 enetration	Testing                                                        Bootcamp
 •		 se	and	Benefits	of	Honeypots                                                                                           N
                                                                                                                          •		 essus
 •		 urpose,	Location,	and	Scope	of	                                                                                        H
                                                                                                                          •		 ping2
   Honeypots                                                                                                                N
                                                                                                                          •		 map
 •		 aBrea,	Honeyd,	and	Honeynet	                                                                                           S
                                                                                                                          •		 nort

401.4 Secure Communications
Day	four	covers	encryption,	wireless	security,	and	operations	security.	
Encryption 101                           Applying Cryptography                      Wireless Network Security            Operations Security
 •		 undamentals	of	Cryptosystems            M
                                           •		 ethods	and	Means	of	Virtual	            P
                                                                                     •		 DA’s	and	Popular	Wireless	         O
                                                                                                                          •		 verview	of	OPSEC
 •		 onfidentiality,	Integrity,	             Private	Networks                          devices                              D
                                                                                                                          •		 efensive	and	offensive	OPSEC	
   Authentication,	and	Non-                  T
                                           •		 ransport	and	Tunnel	Mode                B
                                                                                     •		 luetooth	and	Zig	Bee               techniques
   repudiation                               I
                                           •		PSEC	–	AH	and	ESP                        8
                                                                                     •		 02.11a,	b,	g,	i,	and	n             O
                                                                                                                          •		 pen	source	analysis	and	
 •		 otation,	Substitution,	               •		 SL	and	Non-IPSEC	VPNs
                                             S                                       •		 02.1x	and	network	level	
                                                                                       8                                    collection
   Permutation,	and	Xor	Techniques                                                     authentication                       C
                                                                                                                          •		 ompetitive	intelligence
                                           •		 ull	Disk	and	File	Level	
 •		 ymmetric,	Asymmetric,	and	              Encryption                                W
                                                                                     •		 EP,	WPA,	WPA2                      L
                                                                                                                          •		 aws	of	OPSEC
                                           •		 ard	drive	Encryption	Strategies         G
                                                                                     •		 eneral	Misconceptions,	            N
                                                                                                                          •		 DAs,	employment	agreements,	
 •		 re-shared	Key	and	Diffie	Helman	                                                  Technical	Misconceptions,	and	       non-competes,	non-solicitation	
                                           •		 KI	and	Web	of	Trust
   Key	Exchange                                                                        Risk	Misconceptions                  agreements
                                           •		 ertificate	Management
 •		 GP,	SSL,	Kerberos                                                                 E
                                                                                     •		 avesdropping,	Masquerading,	
                                         Steganography                                                                   Bootcamp
Encryption 102                                                                         Denial	of	Service,	Rogue	APs
                                                                                                                          •		 GP
                                           •		 verview	of	Stego                        R
                                                                                     •		 isk	Mitigation	and	Securing	
 •		 symmetric	Encryption	and	                                                                                              N
                                                                                                                          •		 etstumbler
   Computational	Intensity                   C
                                           •		 ryptography	vs.	Steganography           Wireless
                                                                                                                          •		 -Tools
 •		 actoring	Large	Numbers	into	
   F                                         D
                                           •		 etecting	Cryptography
                                                                                                                          •		nvisible	Secrets
   Their	Primes                              I
                                           •		njection,	Substitution,	and	
                                             Generation                                                                     S
                                                                                                                          •		 tegdetect
 •		 olving	Discrete	Logarithmic	
   Problem                                   S
                                           •		 tools,	Spam	Mimic,	Jsteg,	
 •		 olving	Discrete	Logarithmic	
   S                                         MP3Stego,	S-Mail,	Stash
   Problem	with	Elliptic	Curves              D
                                           •		 efending	and	Detecting	Stego
 •		 ES,	Triple	DES,	AES,	RSA,	ECC
 •		 rypto	Attacks,	Birthday	Attack,	
   Meet	in	the	Middle

38    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                  To register for SANS NETWORK SECURITY 2008, visit
              “Wonderful! New to information security and found all of these topics extremely
         useful and beneficial to what I’ll be working. The lab portion really helped tie it all together
                  and gain some experiences with topics discussed” -sAmAntHA sPooner, mitre

401.5 Windows Security
Day	five	is	all	about	securing	the	current	batch	of	Windows	operating	systems	(Windows	2000/
XP/2003/Vista)	and	teaches	the	tools	that	simplify	and	automate	the	process.
Windows Security                           Security Templates and                      Securing Windows Network
Infrastructure                             Group Policy                                Services
 •		 T,	2000,	XP,	2003,	and	Vista              S
                                             •		 ecurity	Configuration	and	              W
                                                                                       •		 ays	to	Secure	a	Service
 •		 orkgroups	and	Accounts
   W                                           Analysis	Tool                             N
                                                                                       •		 etwork	Adapter	Bindings
                                             •		 ECEDIT.EXE
                                               S                                                                                      Certified Instructor
 •		 ctive	Directory,	Kerberos,	and	                                                     F
                                                                                       •		 irewalls	and	Packet	Filtering
   NTLM                                      •		 ocal	and	Global	Security	Policies
                                               L                                                                                      Stephen Sims
                                                                                       •		 indows	Firewall	for	Vista
 •		 ew	Features	in	Vista
   N                                         •		 dministrative	Templates
                                               A                                       •		PSEC	and	Group	Policy
                                                                                         I                                            Stephen	Sims	is	an	infor-
 •		 anaging	Accounts,	SIDS,	and	              P
                                             •		 assword	Policy,	Account	Lockout,	       W
                                                                                       •		 ireless	Security                           mation	security	consultant	
   SATS                                        Security	Options,	Anonymous	
                                                                                       •		 ecuring	IIS
 •		 roup	Policy                               Access,	Kerberos,	NTMV2,	Guest	                                                        currently	working	for	Wells	
                                               Account,	protecting	Administrative	       T
                                                                                       •		 erminal	Services
Permissions and User Rights                    Access,	Internet	Explorer,	               R
                                                                                       •		 emote	Desktop	Protocol                     Fargo	in	San	Francisco,	
 •		 TFS	DACLS	and	Advanced	
   N                                           Administrative	Template                   S
                                                                                       •		 ecurity	Configuration	Wizard               CA.	He	has	spent	the	past	
   Security	Settings
                                           Service Packs, Hotfixes, and                Automation and Auditing                        seven	years	in	the	Bay	
 •		 hared	Folders,	Hidden	and	            Backups
   Administrative	Shares                                                                 S
                                                                                       •		 upport	Tools	and	Resource	Kit
                                             •		 ervice	Packs	and	Deployment	
                                               S                                       •		 cripting	Support
                                                                                                                                      Area	working	for	several	
 •		 FS	and	Bitlocker                          Strategies
 •		 iscretionary	Access	Control	
   D                                                                                     P
                                                                                       •		 ushing	Scripts	with	GPO                    large	financial	institu-
                                             •		 otfixes
   Across	Files,	Folders,	Registry,	and	                                                 S
                                                                                       •		 cheduling	Jobs                             tions	on	network	and	
   AD                                          M
                                             •		 icrosoft	Update
                                                                                       •		 erifying	Compliance
 •		 ser	Rights                                A
                                             •		 utomatic	Update                                                                      systems	security,	reverse-
                                                                                       •		 S	Baseline	Security	Analyzer
                                             •		 SUS	and	3rd	Party	Patch	
                                               Management                                C
                                                                                       •		 reating	and	Validating	Snapshots           engineering	malware,	
                                             •		 indows	Backup	and	Restore               S
                                                                                       •		 ecurity	Events	Logs	and	Audit	             and	risk	assessment	and	
                                             •		 inary	Disk	Images                                                                    management.	Prior	to	San	
                                             •		 ystem	Restore	and	dll	Rollback
                                               S                                       Bootcamp
                                                                                        •		 CA	
                                                                                          S          •		 IS	Scoring	Tool
                                                                                                       C                              Francisco,	Stephen	worked	
                                                                                        •		 SA	        M
                                                                                                     •		 S	Firewall                   in	the	Baltimore/DC	area	
401.6 Linux Security                                                                                                                  as	a	network	security	
Based	on	industry	consensus	standards,	this	course	provides	step-by-step	guidance	on	                                                 engineer	for	companies	
improving	the	security	of	any	Linux	system.	The	course	combines	practical	how-to	instructions	                                        such	as	General	Motors	
with	background	information	for	Linux	beginners	and	security	advice	and	“best	practices”	for	
                                                                                                                                      and	Sylvan	Prometric.	He	
administrators	of	all	levels	of	expertise.
                                                                                                                                      is	one	of	only	a	handful	
Linux Landscape                             Virtual Machines                           Linux Security Tools
 •		 ifferent	variants	of	and	uses	for	
   D                                         •		 ypes	of	virtual	machines
                                               T                                        •		 ile	Integrity	Verifications
                                                                                          F                                           of	individuals	who	holds	
   Linux                                     •		 hat	are	virtual	machines	and	
                                               W                                        •		 hkrootkit
                                                                                          C                                           the	GIAC	Security	Expert	
 •		 ays	processes	are	started                 how	they	work                              C
                                                                                        •		 IS	Hardening	Guides                       (GSE)	Certification	and	is	
 •		 etwork	Interface	Information              C
                                             •		 ontrolling	Virtual	Machines              B
                                                                                        •		 astille	Linux
 •		 rocess	Information
   P                                         •		nstalling	VMWare	Tools
                                               I                                        •		 niffers
                                                                                          S                                           currently	working	with	
 •		 irectory	Hierarchy                        C
                                             •		 onfiguration	&	Networking	             •		 nort
                                                                                          S                                           GIAC.		He	is	a	SANS	certi-
 •		 ounting	the	file	systems
   M                                           Options
                                             •		 roblems	with	virtual	machine	         Maintenance, Monitoring and                    fied	instructor	and	holds	
Linux Command Line                             networking                              Auditing Linux
 •		 ommand	line	essentials
                                                                                                                                      several	other	certifica-
                                                                                        •		 ommon	causes	of	compromise
 •		 ogging	in
                                            Linux OS Security                                                                         tions,	such	as	the	CISSP	
                                                                                        •		 atching
                                             •		 angerous	Services
 •		 ile	system	commands                                                                  B
                                                                                        •		 acking	up	data                            and	CISA,	and	is	currently	
                                             •		 elpful	services
 •		 ritical	OS	Tools                                                                     S
                                                                                        •		 yslog
 •		 etting	help	with	man
                                             •		 unning	&	stopping	programs                                                           co-authoring	a	book	on	
                                                                                        •		 nalyzing	log	files
                                             •		 onfiguration	changes	and	                                                            exploit	techniques.
 •		 asic	shell	scripting                                                                 O
                                                                                        •		 ther	logging
                                               restarting	services
 •		 egular	expressions
                                             •		 ile	system	permissions,	
                                               ownership	&	systems
                                             •		 ounting	Drives

Visit for more detailed course descriptions and additional information.              SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   39
   Five-Day Program
                                                  Cyber	security	continues	to	be	a	critical	area	for	
 Mon, Sept 29 – Fri, oct 3, 2008
                                                  organizations	and	will	continue	to	increase	in	
9:00am–5:00pm		•		6	CPE/Day                       importance	as	attacks	become	stealthier,	have	
                                                  a	greater	financial	impact	on	an	organization,	
                                                  and	cause	reputational	damage.		While	SEC401:	
                                                  SANS	Security	Essentials	lays	a	solid	foundation	
Who Should Attend                                 for	the	security	practitioner,	there	is	only	so	
•		 tudents	who	have	taken	
  S                                               much	that	can	be	packed	into	a	six-day	course.		
                                                  Security	501	is	a	follow-on	to	Security	401	(with	
  Security	Essentials	and	want	
                                                  no	overlap)	and	continues	to	focus	on	more	
  a	more	advanced	500-level	
                                                  technical	areas	that	are	needed	to	protect	an	
  course	similar	to	SEC401	                       organization.		The	core	focus	of	the	course	is	on:      AUTHoR STATEMENT
•		 eople	who	have	foundational	                  Protection	-	configuring	a	system	or	network	           it   is AlwAys A tHrill After     i    finisH teAcHing
  knowledge	covered	in	                           correctly                                               sec401       to see students leAve witH A fire in
  SEC401,	do	not	want	to	                         Detection	-	identifying	that	a	breach	has	oc-           tHeir eyes And An excitement ABout tHem . t Hey
  take	a	specialized	500-level	                   curred	at	the	system	or	network	level
                                                                                                          wAlked into clAss feeling overwHelmed tHAt
  course,	and	still	want	a	broad	                 Reaction	-	responding	to	an	incident	and	mov-
                                                                                                          security is A lost cAuse , But now tHey leAve
  advanced	coverage	of	the	core	                  ing	to	evidence	collection/forensics	if	necessary
  areas	to	protect	their	systems	                                                                         clAss understAnding wHAt tHey need to do
                                                  A	key	theme	of	prevention	is	ideal,	but	detec-
•		 nyone	looking	for	detailed	                   tion	is	a	must.		We	need	to	be	able	to	make	            And HAve A focus And drive to do tHe rigHt
                                                  sure	that	we	constantly	improve	our	security	           tHing to secure tHeir orgAnizAtions .          H owever
  technical	knowledge	on	how	
                                                  to	prevent	as	many	attacks	as	possible.		This	
  to	protect	against,	detect,	and	                prevention/protection	occurs	on	two	fronts	
                                                                                                          tHe next Question we receive on A constAnt

  react	to	the	new	threats	that	                  –	externally	and	internally.		Attacks	will	continue	    BAsis is , wHAt course sHould     i tAke next ? H ow
  will	continue	to	cause	harm	to	                 to	pose	a	threat	to	an	organization	as	data	            do   i   continue my Journey ?     w ell ,   it dePends
  an	organization                                 becomes	more	portable	and	networks	continue	
                                                                                                          on wHAt your focus AreA is .          do   you wAnt to
                                                  to	be	porous.		Consequently,	a	key	focus	needs	
                                                  to	be	on	data	protection,	securing	our	critical	        get more into Perimeter Protection ,           ids,   oP -

                                                  information	regardless	of	whether	it	resides	on	        erAting system security , etc ?       t He cHAllenge is
Prerequisites                                     a	server,	in	a	robust	network	architecture,	or	on	a	    tHAt mAny students HAve Positions tHAt do not
                                                  portable	device.
SEC401 is recommended                                                                                     Allow tHem to focus on one AreA             – tHey need
                                                  Despite	our	best	efforts	at	preventing	attacks	
but not required.                                 and	protecting	our	critical	data,	some	attacks	         to understAnd All of tHe key AreAs Across

                                                  will	still	be	successful.			Therefore,	we	need	to	be	   security .    w HAt    students Are telling us is
                                                  able	to	detect	attacks	in	a	timely	fashion.		This	      tHAt tHey wAnt A        s ecurity e ssentiAls     PArt   2
                                                  is	accomplished	by	understanding	the	traffic	
                                                                                                          or A     500- level   continuAtion of      s ecurity e s -
                                                  that	is	flowing	on	your	networks	and	looking	for	
                                                  indication	of	an	attack.		It	also	includes	per-         sentiAls covering tHe next level of tecHni -
  “By far the most valuable
                                                  forming	penetration	testing	and	vulnerability	          cAl knowledge .       i n s ecurity 501, sAns         HAs
    training I could have                         analysis	to	identify	problems	and	issues	before	
                                                                                                          decided to give students Just wHAt tHey HAve
 received to take my career                       they	compromise	an	organization.
                                                                                                          Been Asking for , And     i Am Beyond tHrilled witH
      to the next level.”                         Finally,	after	an	attack	is	detected	we	must	react	
                                                  to	it	in	a	timely	fashion,	being	able	to	analyze	       tHe results .   we    HAve identified core foundA -
             -BrAd dAin
                                                  the	attack	and	perform	forensics.		Once	we	un-          tion AreAs tHAt comPlement        sec401        witH no
                                                  derstand	how	the	attacker	broke	in,	we	can	feed	
                                                                                                          overlAP And continue to Build A solid secu -
                                                  this	information	back	into	more	effective	and	
                                                                                                          rity foundAtion for network PrActitioners .
                                                  robust	preventive	and	detective	measures,	thus	
                                                  completing	the	security	lifecycle.                      - d r . e ric c ole , P H d

40    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008              To register for SANS NETWORK SECURITY 2008, visit
    “The knowledge gained from SANS has empowered me to provide top notched computer security
                services and reduced the time needed for unbillable hours of research.”
                                                      -kevin coHen, dAtA triAge tecHnologies

501.1 Hands On: Prevention
Defensive Network Infrastructure                              Implementing the Cisco Gold Standard to
Introducing Network Infrastructure as                         Improve Security
Targets for Attack                                                C
                                                                •		 ISecurity	Level	1	and	2	Benchmarks	for	
 •		mpact	of	Compromised	Routers	and	Switches
                                                                •		 ANS	Gold	Standard	Switch	Configuration
 •		 scalating	Privileges	at	Layers	2	and	3
 •		 eaknesses	in	Cisco	Router	and	Switch	
   W                                                          Advanced Layer 2 and 3 Controls
                                                                                                                            SANS Faculty Fellow
   Architecture                                                   R
                                                                •		 outing	Protocol	Authentication
                                                                                                                            Dr. Eric Cole, PhD
                                                                •		 iltering	with	Access	Control	Lists
                                                                                                                            Dr.	Eric	Cole,	PhD	is	an	industry	
                                                                •		 HCP,	ARP	Snooping,	and	Port	Security
                                                                                                                            recognized	security	expert,	tech-
                                                                •		ntroduction	to	Network	Admission	Control	
                                                                  and	802.1x                                                nology	visionary,	and	scientist	
                                                                                                                            with	over	15	years	of	hands-

501.2 Hands On – Part 1: Detection                                                                                          on	experience.		He	currently	
                                                                                                                            performs	leading-edge	security	
IP Packet Analysis                                             Advanced IP Packet Analysis                                  consulting	and	works	in	research	
Architecture Design and Preparing Filters                      Installation Analysis Software                               and	development	to	advance	the	
                                                                                                                            state-of-the-art	in	information	
Ngrep Usage and Installation                                   Wireshark
                                                                                                                            systems	security.		Throughout	his	
                                                                                                                            career	in	information	technology,	
501.3 Hands On – Part 2: Detection                                                                                          Dr.	Cole	has	focused	on	perimeter	
                                                                                                                            defense,	secure	network	design,	
Vulnerability Analysis and Pen Testing                         Advanced Vulnerability Analysis
                                                                                                                            vulnerability	discovery,	penetra-
Key Tools and Techniques                                       Basic Pen Testing                                            tion	testing,	and	intrusion	detec-
Advanced Pen Testing                                           Application Testing                                          tion	systems.		He	has	a	master’s	
                                                                                                                            degree	in	computer	science	
                                                                                                                            from	NYIT	and	a	PhD	from	Pace	
501.4 Hands On – Part 1: Reaction                                                                                           University	with	a	concentration	
Incident Response and Analysis                                 Incident Handling Process and Analysis                       in	information	security.		Dr.	Cole	
Forensics and Incident Response                                Windows Response Skills                                      is	the	author	of	several	books,	
                                                                                                                            including	Hackers Beware, Hiding
Windows Forensics Toolchest                                    Linux/Unix Response and Analysis
                                                                                                                            in Plain Site, Network Security
Linux/Unix Tools and System Analysis                                                                                        Bible, and Insider Threat.		Dr.	Cole	
                                                                                                                            has	a	wealth	of	knowledge	from	

501.5 Hands On – Part 2: Reaction                                                                                           industry,	academia,	and	govern-
                                                                                                                            ment	that	equips	him	to	serve	
Malware                                                                                                                     as	an	advisor	for	many	organi-
                                                                                         “It’s the best.
Using Microsoft Windows Basic Built-in CLI Tools                                                                            zations,	including	the	Execu-
                                                                                       Elite instructors,                   tive	Advisory	Board	for	Purdue	
Using Microsoft Windows Advanced Built-in CLI Tools
                                                                                           awesome                          University/CERIAS,	a	member	of	
Using Microsoft Windows Built-in GUI Tools
                                                                                       presentations!”                      the	Cyber	Security	Commission	
Using External Tools to Fight BHO                                                      -deAn PArsons, AliAnt
                                                                                                                            for	the	44th	President,	and	a	
Using Microsoft Windows External Tools                                                                                      Lockheed	Martin	Senior	Fellow.		
                                                                                                                            He	is	also	the	inventor	of	over	20	
Fighting Rootkits                                                                                                           patents;	a	researcher,	writer,	and	
Using Network-Based Tools to Identify Malware Traces                                                                        speaker	for	SANS;	and	a	faculty	
Using Online Resources to Get Help                                                                                          fellow	for	the	SANS	Technology	
                                                                                                                            Institute,	a	degree	granting	

Visit for more detailed course descriptions and additional information.           SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   41
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                    This course is a highly technical, hands-on saturation of
9:00am–5:00pm		•		6	CPE/Day                         everything you need to know in order to design, deploy, and
                                                    maintain a secure perimeter.
                                                    This	course	is	continuously	being	updated	using	
Who Should Attend                                   input	provided	by	literally	hundreds	of	professionals	
                                                    in	the	field.		The	result	is	a	building	block	approach	
•		ndividuals	who	need	to	manage	
                                                    that	brings	you	up	from	the	idiosyncrasies	of	TCP/IP	
  and/or	maintain	the	security	of	
                                                    to	creating	your	own	automated	alerting	systems.		
  their	network	
                                                    Since	most	people	gain	a	better	understanding	
•		 onsultants	or	project	members	                  through	hands-on	knowledge,	over	25%	of	the	class	
  who	are	charged	with	deploying	                   time	is	spent	performing	labs	that	give	you	practical	
  publicly	accessible	systems	or	
                                                    experience	with	the	tools	you	can	use	to	better	secure	
  perimeter	security	devices	                                                                               AUTHoR STATEMENT
                                                    your	network.		You’ll	even	work	with	some	of	the	tools	
•		 ecurity	professionals	who	
  S                                                 that	are	considered	to	be	hostile	in	nature	in	order	   one of tHe tHings i love seeing in        my
  wish	to	fill	in	the	gaps	in	their	                to	gain	a	better	understanding	of	what	is	required	to	 students is tHe little ligHt BulBs         go
  understanding	of	network	                         fully	lock	down	your	environment.                       off over tHeir HeAds . i tHink A lot      of
                                                    Many	attacks	are	based	on	bending	the	rules	            PeoPle wAlk into tHe clAss tHinking ,
•		ndividuals	who	understand	the	
                                                    of	network	communications.		With	this	in	mind,	         “H ey i’ ve Been running A Pix or f ire-
  theory	behind	network	security,	
                                                    the	course	starts	off	by	giving	you	an	in-depth	
  but	want	to	be	able	to	apply	it	                                                                          wAll -1 firewAll for A few yeArs – i Al -
  with	hands-on	experience
                                                    understanding	of	IP	and	its	transports.		Tools	are	
                                                                                                            reAdy know tHis Perimeter stuff ,” And
                                                    introduced	to	better	understand	traffic	flow	as	well	
•		ndividuals	with	operational	                     as	the	unique	communication	characteristics	of	         tHey Are Blown AwAy By How mucH tHey
  responsibility	for	a	firewall,	VPN,	or	           different	operating	systems.		We	then	build	on	this	    leArn . A single line of defense wAs cool
  Internet	facing	device	
                                                    knowledge	to	describe	how	this	traffic	flow	can	        eigHt yeArs Ago . t odAy , AttAckers As
                                                    be	controlled	at	both	the	header	and	the	payload	
                                                                                                            well As tHeir exPloits Are so soPHisti -
                                                    level.		Concepts	like	packet	filters,	proxy	firewalls,	
                                                    intrusion	detection,	intrusion	prevention,	etc.,	are	   cAted tHAt A single line of security is

  Get GCFW Certified                                introduced	and	labs	are	conducted	in	order	to	better	 no longer uP to tHe tAsk. i n tHis clAss
                                                    understand	the	underlying	core	technology.              students leArn ABout eAcH of tHe lAy -

                                                    From	there,	we	move	into	securing	the	systems	that	 ers tHAt cAn Be imPlemented to keeP tHe
                                                    are	exposed	to	Internet	access	as	well	as	the	tools	       AttAckers At BAy . i’ ve recently Added
                                                    you	can	use	to	simplify	that	task.		Concepts	like	
                                                                                                               to tHe course A ton of HAnds - on lABs .
                                                    vulnerability	assessment,	auditing,	and	centralized	
                                                    logging	and	alerting	are	discussed	in	depth	in	order	      i tHink tHis reAlly HelPs to solidify
                                                    to	ensure	our	perimeter	remains	secure.		Encryption,	 tHe student’s comfort zone witH eAcH
                                                    authentication,	and	VPN	technology	are	also	covered	 tecHnology. y ou leArn ABout ids And
   Reinforce what you learned                       so	we	can	securely	permit	our	remote	and	wireless	         tHen immediAtely go HAnds - on witH it
    in training and prove your                      users	into	the	network.		Hands-on	labs	are	performed	
   skills and knowledge with a                                                                                 in clAss . y ou leArn ABout vulnerABility
                                                    so	you	are	empowered	to	immediately	apply	these	
        GCFW certification.                                                                                    cHecking And AgAin , set uP A scAnner in
                                                    concepts	when	you	return	to	the	office.		Finally,	the	
                                                    concept	of	performing	a	forensic	analysis	is	covered	 clAss And stArt cHecking tHe rePorts. i
                                                    just	in	case	the	worst	does	occur.		Again,	we	look	at	     tHink in mAny wAys tHis is ProBABly tHe
                                                    the	tools	you	can	use	to	help	simplify	this	process.
                                                                                                               most difficult sAns clAss to mAster , As
                                                    In	short,	this	course	takes	a	defense-in-depth	approach	 tHe BreAdtH of knowledge leArned is so
                                                    to	locking	down	a	perimeter.		Every	layer	in	that	defense	
      LAPToP                                        is	covered	in	order	to	ensure	that	your	perimeter	will	
                                                                                                               diverse . e AcH tecHnology is A reQuired

                                                                                                               skill , However , if you Are going to lock
     REqUIRED                                       provide	maximum	protection	for	your	organization’s                          resources.		A	strong	focus	is	placed	on	hands-on	time	     down your orgAnizAtion ’ s Perimeter .
       laptop/sec502.php                            with	the	tools	you	can	use	to	complete	this	task.          - c Hris Brenton

42     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008              To register for SANS NETWORK SECURITY 2008, visit
Perimeter Protection In-Depth is suited for anyone wanting to become a firewall administrator or perimeter
designer. This course is also fantastic for auditors and consultants. Junior firewall administrators earn from $35,000 to
$55,000. More experienced firewall administrators can go up to $90,000 or more. Consultants tend to earn 20 - 30%
more than people with similar experience levels working inside organizations if they can maintain a steady flow of work.
Respected technical certifications, like the GCFW and GCIA, can really help make a consultant stand out from the crowd.

502.1 TCP/IP for Firewalls
This	session	provides	an	in-depth	analysis	of	IP	communications	through	all	of	the	OSI	layers.		
Common	IP	attack	techniques	are	covered	in	detail.		Hands-on	labs	include	packet	decoding	and	
passive	fingerprinting.
Topics: Perimeter Concepts; IP; TCP; UDP; ICMP; Fragmentation; IP Level Attacks; Complex Applications

502.2 Hands On: Packet Filters
This	section	discusses	in	detail	all	of	the	current	firewall	technologies	from	packet	filtering	to	                                            SANS Faculty Fellow
proxies.	This	includes	design	limitations	as	well	as	appropriate	use.		Also	discussed	are	policy	best	                                         Chris Brenton
practices	as	well	as	configuration	of	a	perimeter	router.		Hands-on	labs	include	writing	attack	                                               Chris	Brenton	is	a	private	
scripts,	recording	payload	based	attacks,	packet	trace	analysis,	packet	decoding,	packet	crafting,	
                                                                                                                                               consultant	with	over	ten	
and	idle	scans.
Topics: Static and Stateful Packet Filters; Stateful Inspection; Proxies; Securing Cisco Routers                                               years’	experience	in	the	field.		
                                                                                                                                               He	is	one	of	the	founding	
502.3 Hands On: Firewalls                                                                                                                      members	of	the	initial	
Multiple	firewall	products	are	discussed	in	order	to	compare	the	features	and	strengths	of	
                                                                                                                                               Honeynet	Project,	one	of	the	
each.		You	will	learn	how	to	build	a	firewall	policy	as	well	as	validate	that	policy	is	performing	as	
expected.		Further,	the	student	is	shown	how	to	check	a	firewall	over	the	wire	so	that	limitations	                                            original	Internet	Storm	Center	
of	the	vendor’s	implementation	can	be	assessed.		The	day	is	rounded	off	with	an	in-depth	look	at	                                              handlers,	and	started	up	one	
firewall	log	analysis.		Hands-on	labs	include	packet	crafting,	active	fingerprinting,	port	scanning,	
                                                                                                                                               of	the	first	managed	security	
mapping	flows,	detecting	spoofed	traffic,	and	detecting	applications	on	non-standard	ports.
Topics: Checkpoint FW-1; Cisco PIX and ASA; Netscreen; Netfilter; Sidewinder; Creating a Firewall Policy; Assessment for Policy                ISPs.		Over	the	years,	he’s	been	
        Verification; Detecting Firewall Design Flaws; Firewall Log Analysis                                                                   credited	with	the	discovery	
                                                                                                                                               of	numerous	vulnerabilities	
502.4 Hands On: Defense In Depth                                                                                                               in	various	software	products.		
In	this	section	we	start	by	discussing	wire	level	intrusion	detection	and	prevention,	but	quickly	
shift	our	focus	to	the	hosts	we	wish	to	protect.		How	to	lock	down	exposed	hosts	is	discussed	as	                                              Along	with	being	a	published	
well	as	how	to	perform	audits	and	a	forensic	analysis.		Hands-on	labs	include	using	an	intrusion	                                              author,	Chris	is	responsible	for	
detection	system,	detecting	spoofed	traffic,	file	system	hashing,	writing	auditing	scripts,	integrity	                                         maintaining	all	of	the	mate-
issues	with	MD5,	and	password	cracking.
                                                                                                                                               rial	in	the	SANS	Perimeter	
Topics: Intrusion Detection; Intrusion Prevention; Locking Down Exposed Systems; Auditing; Forensics; Vulnerability Assessments
                                                                                                                                               Protection	In-Depth	course.		In	
502.5 Hands On: Forensics, VPNs and Wireless                                                                                                   his	spare	time,	Chris	teaches	
The	focus	of	this	section	is	creating	secure	connections	over	insecure	mediums.		This	can	                                                     rally	and	high-speed	off	road	
include	the	Internet,	wireless,	or	even	telo	cloud	networks.		Design	concepts	are	discussed	as	                                                security	driving	where	he	can	
well	as	techniques	that	can	be	used	to	prevent	these	connections	from	introducing	additional	
                                                                                                                                               be	found	teaching	students	to	
risk	into	a	network.		The	end	of	the	day	wraps	up	by	covering	everything	you	need	to	know	in	
order	to	create	a	centralized	logging	and	alerting	system.		Hands-on	labs	include	sniffing	and	                                                make	their	side	window	the	
troubleshooting	SSL	connections,	hijacking	SSH	connections,	working	with	the	insecurities	in	                                                  front	of	the	car.	
Windows	hashing,	and	extracting	forensic	information	from	a	compromised	system.	
Topics: VPN Basics; Encryption; Authentication; SSL; IPSec; SSH; PKI; Digital Certificates; VPNs over Wireless; VPN Design Concepts; NTP;
        Centralized Logging; Centralized Alerting
                                                                                                                                               “Chris is a phenomenal
502.6 Hands On: Network Design and Assessment                                                                                                   instructor. His insight
Principles	of	generic	as	well	as	secure	network	design	are	covered	in	detail	to	aid	students	in	                                               into the current state of
assessing	the	weak	points	on	their	own	networks.	A	wide	range	of	existing	attack	tools	are	
evaluated	so	that	students	know	just	what	an	attacker	may	try	to	use	against	them.	Hands-on	                                                  IT security and perimeter
labs	include	avoiding	an	intrusion	detection	system,	hijacking	DNS	queries,	and	connection	                                                    protection is awesome.”
hijacking	at	layers	2	and	3.		
                                                                                                                                                       -Jim rouse, nAsA
Topics: Design Concepts; Secure Perimeter Design; Information Enumeration; Security Tool Round Up

Visit for more detailed course descriptions and additional information.                            SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   43
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                    Learn practical hands-on intrusion detection and traffic
9:00am–5:00pm		•		6	CPE/Day
                                                    analysis from top practitioners/authors in the field.
                                                    This	is	the	most	advanced	program	in	network	
                                                    intrusion	detection	that	has	ever	been	taught.		
Who Should Attend
                                                    All	of	the	course	material	is	either	new	or	just	
•		ntrusion	detection	analysts		
                                                    updated	to	reflect	the	latest	attack	patterns.		
  (all	levels)
                                                    This	series	is	jam-packed	with	network	traces	
•	Network	engineers
                                                    and	analysis	tips.		The	emphasis	of	this	course	
•		 ystem,	security,	and	network	
                                                    is	on	increasing	students’	understanding	of	the	
                                                    workings	of	TCP/IP,	methods	of	network	traffic	
•	Hands-on	security	managers                                                                                  AUTHoR STATEMENT
                                                    analysis,	and	one	specific	network	intrusion	
•		ndividuals	with	operational	                                                                               g uy B runeAu , m ike P oor , And i
                                                    detection	system—Snort.		This	course	is	not	                                                     HAve
  responsibility	for	a	firewall,	VPN,	or	
  Internet	facing	device                            a	comparison	or	demonstration	of	multiple	                worked As intrusion AnAlysts for

                                                    NIDS.		Instead,	the	knowledge/information	                mAny yeArs .   o ver   tHe yeArs , we HAve
                                                    provided	here	allows	students	to	better	
   Get GCIA Certified                               understand	the	qualities	that	go	into	a	sound	
                                                                                                              seen our fAir sHAre of At tAcks And

                                                                                                              susPicious trAffic often leAding to
                                                    NIDS	and	the	“whys”	behind	them,	and	thus,	to	
                                                                                                              intrusions .   o ver   time , we HAve devel -
                                                    be	better	equipped	to	make	a	wise	selection	
                                                                                                              oPed vArious AnAlysis tecHniQues tHAt
                                                    for	their	site’s	particular	needs.	
                                                                                                              work on new detects , And we HAve
                                                    This	is	a	fast-paced	course	and	students	are	             leArned How to PAss tHose on to tHe
                                                    expected	to	have	a	basic	working	knowledge	
                                                                                                              students .   A t tendees   will leArn How
                                                    of	TCP/IP	(see:
   Reinforce what you learned                                                                                 tcP/iP    reAlly works from instruc -
                                                    tcpip_quiz.php)	in	order	to	fully	understand	
    in training and prove your                                                                                tors wHo HAve sPent tHousAnds of
   skills and knowledge with a                      the	topics	that	will	be	discussed.		Although	
         GCIA certification.                        others	may	benefit	from	this	course,	it	is	most	          Hours AnAlyzing , reseArcHing , And

                              appropriate	for	students	who	are	or	who	will	             cAtegorizing susPicious trAffic witH

                                                    become	intrusion	detection	analysts.		Students	           A vAriet y of securit y tools . y ou will
                                                    generally	range	from	novices	with	some	                   leArn from Hundreds of old And
                                                    TCP/IP	background	all	the	way	to	seasoned	
                                                                                                              current exAmPles of detects tHAt
                                                    analysts.		The	challenging,	hands-on	exercises	
                                                                                                              were cAPtured in tHe reAl world And
                                                    are	specially	designed	to	be	valuable	for	all	
                                                                                                              Be ABle to APPly tHese reAl - world
                                                    experience	levels.		We	strongly	recommend	
                                                    that	you	spend	some	time	getting	familiar	                exAmPles to AnAlyze known And new

                                                    with	TCPdump,	WINdump,	or	another	network	                intrusion PAt terns . w e Are confident

              MSISE                                 analyzer	output	before	coming	to	class.                   tHAt students will Put tHe trAining
                                                                                        tHey receive from tHis course into
                                                                                                              PrActice tHe dAy tHey get BAck to
                                                             You must possess at least a working
                                                              knowledge of TCP/IP and Hex (see:               tHe office .
      LAPToP                                                    - s tePHen n ortHcut t , g uy B runeAu ,
     REqUIRED                                          to test your TCP/IP and Hex basics knowledge).
                                                                                                                And   m ike P oor

44     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008            To register for SANS NETWORK SECURITY 2008, visit
Intrusion Detection In-Depth is one of our most advanced and challenging courses. People with GCIA
certifications have an advantage over other security job candidates and often land some of the most interesting jobs
in information security. Their salaries range from $50,000 to well into six figures.

503.1 TCP/IP for Intrusion Detection
Diligent	students	will	be	able	to	translate	native	hexadecimal	at	the	IP,	transport	layers,	and	be	able	
to	decode	DNS.		The	material	presented	in	this	course	will	equip	students	with	the	knowledge	and	
understanding	of	TCP/IP	and	free	tools	like	TCPdump	and	WINdump	to	assist	them	in	troubleshooting	
all	types	of	networking	complaints	from	routing	problems	to	firewall	and	critical	server	issues.	
Topics: TCPdump	Review;	TCP/IP	Communication	Model;	Fragmentation;	ICMP;	Stimulus	and	Response;	Microsoft	
       Networking	and	Security;	Domain	Name	System;	Routing;	IPSec

503.2 Hands On – Part 1: Network Traffic Analysis Using TCPdump*                                                                   Senior Instructor
                                                                                                                                   Mike Poor
In	the	first	day	of	this	two-day	module,	students	will	learn	how	to	interpret	every	single	field	in	a	
packet.	We	will	build	on	that	skill	to	learn	traffic	analysis	with	lab	exercises	to	reinforce	the	theory.		                        Mike	is	a	founder	and	senior	
TCPdump	is	the	tool	of	choice	selected	to	demonstrate	the	theory	and	is	used	in	hands-on	exercises.		                              security	analyst	for	the	DC	
The	intent	of	this	course	is	to	free	the	analyst	from	relying	exclusively	on	the	NIDS	to	do	packet	
interpretation.		                                                                                                                  firm	Intelguardians	LLC.	In	
Topics: Introduction	to	TCPdump;	Writing	TCPdump	Filters;	TCPdump	Filters;	Examining	Datagram	Fields	with	TCPdump                  his	recent	past	life	he	has	
                                                                                                                                   worked	for	Sourcefire	as	a	
503.3 Hands On – Part 2: Network Traffic Analysis Using TCPdump*                                                                   research	engineer	and	for	the	
In	the	second	day	of	Network	Traffic	Analysis	Using	TCPdump,	we	combine	lectures	with	hands-on	
exercises	to	give	you	the	foundation	and	knowledge	to	return	to	your	site	and	use	TCPdump	to	do	                                   SANS	Institute	leading	their	
real-world	analysis	of	your	network	traffic.			                                                                                    Intrusion	Analysis	Team.		As	
Topics: Examining	Datagram	Fields	with	TCPdump;	Analysis	of	TCPdump	Output;	Advanced	Analysis                                      a	consultant,	Mike	conducts	

503.4 Hands On: Intrusion Detection Snort Style*                                                                                   forensic	analysis,	penetration	
On	day	four	we	will	install,	configure,	and	use	the	powerful	and	versatile	freeware	intrusion	detection	                           tests,	vulnerability	assess-
system	Snort	in	either	Linux	or	Windows.		In	addition,	learn	to	customize	Snort	for	many	special	uses.		                           ments,	security	audits,	and	
Hands-on	exercises	that	will	challenge	both	the	novice	and	seasoned	Snort	user	are	included	so	that	                               architecture	reviews.		His	
students	will	feel	confident	in	their	ability	to	effectively	utilize	Snort	for	their	site’s	specific	needs	when	
they	get	back	to	the	office.                                                                                                       primary	job	focus,	however,	
Topics: Introduction;	Modes	of	Operation;	Writing	Snort	Rules;	Configuring	Snort	as	an	IDS;	Output	Analysis;		                     is	in	intrusion	detection,	
       Advanced	Topics
                                                                                                                                   response,	and	mitigation.		
503.5 Hands On – Part 1: Security Information Management                                                                           Mike	currently	holds	both	
      and Traffic Analysis*                                                                                                        GSEC	and	GCIA	certifications	
This	day	starts	to	bring	together	the	knowledge	gained	on	previous	days	to	help	you	become	a	                                      and	is	an	expert	in	network	
combat	ready	analyst.		You’ll	learn	how	to	assess	and	prioritize	the	events	generated	by	an	IDS/IPS	                               engineering	and	systems,	
including	how	to	correlate	events	across	multiple	platforms	and	operating	environments.		You’ll	
participate	in	analyzing	and	decoding	host	and	network	logging	data,	identifying	patterns	in	attacker	                             network,	and	Web	adminis-
activity	taken	from	live,	hostile	networks.                                                                                        tration.		Mike	is	an	author	of	
Topics: Traffic	Patterns	and	Analysis;	Interoperability	and	Standards	in	Intrusion	Detection;	Passive	Analysis	Techniques;	        the	international	best	selling	
       IDS/IPS	Architecture	and	Implementation	Techniques;	Common	Analyst	Tools;	Event	Correlation	and	Common	
       Attack	Techniques                                                                                                           book	Snort 2.1	from	Syngress	

503.6 Hands On – Part 2: Security Information Management                                                                           and	is	a	handler	for	the	

      and Traffic Analysis*                                                                                                        Internet	Storm	Center.

The	final	day	in	this	course	will	exercise	all	of	the	knowledge	gained	in	previous	days,	exposing	the	
student	to	a	barrage	of	scans,	reconnaissance	techniques,	and	network	exploits	used	by	the	attack	                              “A great course that was very
community.		Hands-on	participation	in	decoding	and	analyzing	hostile	activity	from	a	honeypot	will	                             well taught. This information
prepare	the	student	to	assess	IDS/IPS	alerts	and	logging	information	on	their	own	network	after	
completing	this	exercise.                                                                                                            is valuable to any IT
Topics: “The	Challenge	Hands-On	Exercise”
                                        ,	Identifying	Crafted	Packets;	In-Depth	Protocols	Analysis;	Common	Errors	and	           professional that deals with
       How	to	Avoid	Them;	Advanced	Analysis	Profiling	Techniques;	Reducing	False-Positives;	Identifying	Denial-of-	
       Service	Activity                                                                                                            intrusion on any level.”
*This course is available to Security 503 participants only.                                                                            -steve nixon, csumB

Visit for more detailed course descriptions and additional information.                SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   45
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                   If your organization has an Internet connection or a
9:00am–5:00pm		•		6	CPE/Day
                                                   disgruntled employee (and whose doesn’t!), your computer
                                                   systems will get attacked.
                                                   From	the	five,	ten,	or	even	one	hundred	daily	
Who Should Attend                                  probes	against	your	Internet	infrastructure	to	the	
•		 embers	and	leaders	of	incident	                malicious	insider	slowly	creeping	through	your	
  handling	teams                                   most	vital	information	assets	to	the	spyware	your	
•		 ystem	administrators	and	                      otherwise	wholesome	users	inadvertently	down-
  security	personnel                               loaded,	attackers	are	targeting	your	systems	with	
•		 thical	hackers/penetration	
  E                                                increasing	viciousness	and	stealth.	
  testers	who	want	to	understand	
  the	concepts	underlying	their	                   By	helping	you	understand	attackers’	tactics	and	
  testing	regimen	                                 strategies	in	detail,	giving	you	hands-on	experience	
                                                   in	finding	vulnerabilities	and	discovering	intrusions,	    AUTHoR STATEMENT
                                                   and	equipping	you	with	a	comprehensive	incident	           my     fAvorite PArt of teAcHing                   H Acker
  Get GCIH Certified                               handling	plan,	the	in-depth	information	in	this	
                                                                                                              t ecHniQues , e xPloits ,                  And   i ncident
                                                   course	helps	you	turn	the	tables	on	computer	
                                                   attackers.		This	course	addresses	the	latest	cutting-      H Andling                is     wAtcHing         students

                                                   edge	insidious	attack	vectors,	the	‘oldie-but-goodie’	     wHen       tHey           finAlly     “ get      it .”   it’s
                                                   attacks	that	are	still	so	prevalent,	and	everything	       usuAlly A t wo - stAge Process .                     f irst ,
                                                   in	between.	Instead	of	merely	teaching	a	few	hack	         students Begin to reAlize How truly
                                                   attack	tricks,	this	course	includes	a	time-tested,	
                                                                                                              mAlicious some of tHese At tAcks Are .
                                                   step-by-step	process	for	responding	to	computer	
                                                   incidents;	a	detailed	description	of	how	attackers	        s ome     students HAve A very viscerAl
   Reinforce what you learned
    in training and prove your                     undermine	systems	so	you	can	prepare,	detect,	             reAction ,               occAsionAlly            sHouting
   skills and knowledge with a                     and	respond	to	them;	and	a	hands-on	workshop	              out      “o H ,      sHoot !” wHen               tHey    see
         GCIH certification.                       for	discovering	holes	before	the	bad	guys	do.		This	
                                                                                                              wHAt tHe BAd guys Are reAlly uP
                             workshop	also	includes	the	unique	SANS	Capture-
                                                   the-Flag	event	on	the	last	day	where	you	will	apply	       to .   B ut    if    i    stoPPed tHe Process At

                                                   your	skills	developed	throughout	the	session	to	           tHAt Point ,             i’ d    Be doing A disser -
                                                   match	wits	with	your	fellow	students	and	instructor	       vice .   t He   second stAge is even more
                                                   in	a	fun	and	engaging	learning	environment.		You’ll	
                                                                                                              fun .    l Ater          in tHe clAss , students
                                                   get	to	attack	the	systems	in	our	lab	and	capture	the	
                                                                                                              grAduAlly reAlize tHAt even tHougH
                                                   flags	to	help	make	the	lessons	from	the	whole	week	
                                                   more	concrete.		Additionally,	the	course	explores	         tHe At tAcks Are reAlly nAst y , tHey

                                                   the	legal	issues	associated	with	responding	to	            cAn Prevent , detect , And resPond
                                                   computer	attacks	including	employee	monitoring,	           to tHem .       u sing          tHe knowledge tHey
          MSISE & MSISM                            working	with	law	enforcement,	and	handling	
                                                                                        gAin      in        tHis        course ,    tHey     know
                                                                                                              tHey ’ ll Be reAdy wHen A BAd guy
                                                   This	challenging	course	is	particularly	well	suited	
                                                                                                              lAuncHes An At tAck AgAinst tHeir
                                                   to	individuals	who	lead	or	are	a	part	of	an	incident	
                                                   handling	team.		Furthermore,	general	security	             systems .       A nd
      LAPToP                                                                                                                                Being reAdy to tHwArt

                                                   practitioners,	system	administrators,	and	security	        tHe BAd guys is wHAt it ’ s All ABout .
                                                   architects	will	benefit	by	understanding	how	to                                                                                    - e d s koudis
       laptop/sec504.php                           design,	build,	and	operate	their	systems	to	prevent,	
                                                   detect,	and	respond	to	attacks.

46    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008            To register for SANS NETWORK SECURITY 2008, visit
Hacker Techniques, Exploits, and Incident Handling is a challenging course particularly
well suited to individuals who lead or are a part of an incident handling team or are penetration testers or RED
TEAM members. It focuses on how to detect malicious code and how to respond. High-end incident handlers and
penetration testers earn top dollars for the industry.

504.1 Incident Handling Step-by-Step and Computer Crime Investigation
This	session	describes	a	detailed	incident	handling	process	and	applies	that	process	to	several	in-the-trenches	case	studies.		
Computer Security Incident Handling: The Six-Step Process: an Action Plan

Step I – Preparation                     Step II – Identification                 Step IV – Eradication                      U
                                                                                                                           •		 nauthorized	use
 •		 olicies:	Appropriate	Use,	
   P                                  •		 ecognizing	an	Incident
                                        R                                   •		 estoring	from	Backups
                                                                              R                                              S
                                                                                                                           •		 exually	Explicit	Information
   Warning	Banners                    •		ncident	Detection	Guidelines
                                        I                                   •		 hen	to	Reformat	Drives
                                                                              W                                              I
                                                                                                                           •		ntellectual	Property	Theft
 •		 otifying	Law	Enforcement,	       •		 uspicious	Processes,	Files,	Log	
                                        S                                   •		 teps	to	Stop	Re-infection	
                                                                              S                                              I
                                                                                                                           •		nsider	Attacks	and	Recognizing	
   Peers	and	Third	Parties              Entries,	and	Accounts                                                                the	Warning	Signs	
 •		 Contain	and	Clear”	vs.	“Watch	
   “                                                                       Step V – Recovery                                 L
                                                                                                                           •		 aw,	Crime	and	Evidence
                                      •		 est	Tools	to	Find	the	Evidence
   and	Learn                                                                  H
                                                                            •		 ow	to	Restore	Operations
                                      •		 lerting	and	Enforcing	Need	to	
                                        A                                                                                    A
                                                                                                                           •		 pplicable	regulations	and	Laws
 •		 anagement	Official	in	Charge       Know                                  M
                                                                            •		 onitoring
                                                                                                                           •		 riminal	vs.	Civil	Remedies
 •		 ANS	Incident	Handling	Forms                                           Step VI – Lessons Learned                         S
                                                                                                                           •		 earch	&	Seizure	Rules
                                     Step III – Containment: short
 •		 udio	Recording                                                           M
                                                                            •		 eeting
                                     and long term action plans                                                              E
                                                                                                                           •		 vidence:	Relevance,	Reliability
 •		ncident	Handling	Team:	                                                   R
                                                                            •		 eport                                        C
                                                                                                                           •		 hain	of	Custody
                                      •		 ssessment	of	impact
   Composition,	Skills	and	                                                   W
                                                                            •		 hat	to	Include
   Geographic	Distribution              N
                                      •		 otification	of	management
                                      •		 otification	of	affected	parties
                                        N                                     W
                                                                            •		 hat	to	ignore
 •		 esponse	Time	Goals
                                      •		 topping	the	Pain:	Dangerous	
                                        S                                     I
                                                                            •		mplementing	the	Corrections
 •		 hecklists
                                        Actions	and	How	to	Avoid	Them •		 ommon	Lessons:	The	Seven	
 •		 mergency	Communications	                                                 Deadly	Sins
   Plan                                 B
                                      •		 ackups	and	Drive	Duplicators
                                                                            •		 ustomizing	the	process	for	
 •		 ights	to	Access	to	Systems	and	 •		 hen	to	Pull	the	Plug
   R                                                                          special	incidents
   Data	and	Constraints
                                                                            •		 spionage
 •		 ar	Room
 •		 raining	and	Exercises
 •		 ontents	of	“Jump	Bags”

504.2 Hands On – Part 1: Computer and Network Hacker Exploits*
It	is	imperative	that	system	administrators	and	security	professionals	know	how	to	control	what	outsiders	can	see.		
Students	who	take	this	class	and	master	the	material	can	expect	to	learn	the	skills	to	identify	potential	targets	and	be	
provided	with	the	tools	they	need	to	test	their	systems	effectively	for	vulnerabilities.			

Trends in attack tools and motivation                                           Hacking Step 2 – Scanning Tools and Techniques
 •		 uality,	Complexity,	Functionality                                             W
                                                                                 •		 ardialing	with	THC-Scan
 •		 endors	and	Vulnerability	Disclosure                                           C
                                                                                 •		 heops-ng	for	Network	Mapping
 •		 ttacker	communication	channels                                                n
                                                                                 •		 map	for	Port	Scanning
 •		 activism                                                                      O
                                                                                 •		 S	fingerprinting	(POF2)
 •		 ive	Most	Common	Ways	Hackers	Make	Money                                       D
                                                                                 •		 etermining	Firewall	Rules	(Firewalk)
 •		 oftware	Distribution	Site	Attacks                                             F
                                                                                 •		 ragRoute	and	FragRouter	to	Foil	IDS/IPS
Hacking Step 1 – Reconnaissance Tools and Techniques                               V
                                                                                 •		 ulnerability	Scanning	With	Nessus
 •		 oogle
   G                                                                               W
                                                                                 •		 eb/CGI	Scanning	(Whisker,	Nikto)
 •		 pecial	Useful	Directives
   S                                                                               N
                                                                                 •		 ull	Sessions	for	Windows
 •		 ndocumented	Search	Capabilities
   U                                                                               D
                                                                                 •		 efenses	against	each	tool
 •		 ource	of	1,000	Useful	Google	Searches
   S                                                                            Wireless
 •		 am	Spade                                                                      W
                                                                                 •		 ar	driving	for	wireless	access,	Netstumbler,	wellenreiter,	
 •		 NS	Interrogation	and	Zone	Transfers
   D                                                                               WEPcrack
 •		 itedigger
   S                                                                               A
                                                                                 •		 irsnort
 •		 ayback	Machine
   W                                                                               D
                                                                                 •		 angers	From	Using	Untrusted	Wireless	Devices
 •		 nd	more
   A                                                                               K
                                                                                 •		 arma
                                                                                 •		 racking	LEAP	with	ASLEAP
                                                                                 •		 olicies	and	Techniques	for	Protecting	Wireless
                                                                                 •		 ands	on	Exercises	to	Demonstrate	and	Correct	Scanning	
*This course is available to Security 504 participants only.

Visit for more detailed course descriptions and additional information.             SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   47
504.3 Hands On – Part 2: Computer and Network Hacker Exploits*
Computer	attackers	are	ripping	our	networks	and	systems	apart	in	novel	ways	while	constantly	improving	their	techniques.		
This	course	covers	the	third	step	of	many	hacker	attacks	-	gaining	access.		For	each	attack,	the	course	explains	vulnerability	
categories,	how	various	tools	exploit	holes,	and	how	to	harden	systems	or	applications	against	each	type	of	attack.		Students	
who	sign	an	ethics	and	release	form	are	issued	a	CD-ROM	containing	the	attack	tools	examined	in	class.	

Hacking Step 3 – Exploiting Systems                         B
                                                          •		 est	Defenses	Against	These	Attacks               F
                                                                                                             •		 ormat	String	Attacks
 •		 aining	Access:	                                            S
                                                          				-		 ession	Hijacking	with	Ettercap                   R
                                                                                                             				-		 pc.statd
 				-		P	Address	Spoofing	                                     D
                                                          				-		 NS	Cache	Poisoning                               W
                                                                                                             				-		 indows	Sort
 				-		 ultipurpose	Netcat	                                    B
                                                          				-		 uffer	Overflows	Step	by	Step                 B
                                                                                                             •		 est	Defenses	Against	These	Attacks
 				-		 niffing	with	Sniffit,	Dsniff,	Ethereal	(Now	           K
                                                          				-		 nown	Weak	Functions                              C
                                                                                                             				-		 ode	Checking	with	ITS4
       Wireshark)	                                              U
                                                          				-		 sing	Metasploit                                  R
                                                                                                             				-		 ATS
                                                          				-		tftp	and	nc                                       F
                                                                                                             				-		 lawfinder
                                                          				-		 arser	Problems                                   H
                                                                                                             				-		 ands	on	Exercises

504.4 Hands On – Part 3: Computer and Network Hacker Exploits*
Attackers	aren’t	resting	on	their	laurels,	and	neither	can	we.		They	are	increasingly	targeting	our	operating	systems	and	
applications	with	ever-more	clever	and	vicious	attacks.		This	session	looks	at	increasingly	popular	attack	avenues	as	well	as	the	
plague	of	denial	of	service	attacks.

Web Application Attacks                                  Additional exploitation vectors                   Denial of Service
 •		 WASP	Top	Ten                                         •		IS	Unicode
                                                            I                                                  D
                                                                                                             •		 oS	Attacks
 •		 ccount	Harvesting	(Wget,	CURL	and	Perl)              • Password	Cracking	(brute	force,	dictionary,	           C
                                                                                                             				-		 puHog
 •		 QL	Injection                                           hybrid)                                            R
                                                                                                             •		 ose
 				-		 inding	Errors                                                                                         S
                                                                                                             •		 murf
                                                          • Exercises	Using	John	the	Ripper	and	Cain,	
 				-		 ropping	Data                                                                                              F
                                                                                                             				-		 raggle
                                                            Defenses	Including	SYSKEY,	PAM,	Two-factor
 				-		 rabbing	Data                                                                                        				-	Directed	broadcast	attacks
 				-		 rapping	db	Structure
       G                                                  • Shadow	Passwords
                                                                                                             •		 NS	Amplification	Attacks	From	SYN	floods	to	
 				-		 efenses
       D                                                  • Getting	a	Shell	on	Windows                         HTTP	floods
 •		 ross-Site	Scripting,	Stealing	User	Data,	
   C                                                      • Worms                                              D
                                                                                                             •		 oS	Suites
   Defenses                                                     S
                                                          				-		 uper	Worms                                   D
                                                                                                             •		 istributed	DoS	(DDOS),	TFN2k	(Tribal	Flood	
 •		 ttacking	state	maintenance                                 F
                                                          				-		 ast	Worms                                    Network	2K)
 				-		 hy	SSL	Provides	Limited	Defenses                       W
                                                          				-		 orhol/Flash                                  P
                                                                                                             •		 rimary	Defenses	for	DoS
 				-		 ustom	Browsers	for	Manipulating	Cookies
                                                          				-		 olymorphic	and	MetamorphicWorms
 				-		 roxy	for	Session	Editing	(Achilles,	Paros	
       Proxy,	SPIProxy,	etc.)                             • Botnets
 				-		 hanging	Prices	at	Retail	Web	Sites
       C                                                        D
                                                          				-		 istribution
 				-		 efenses
       D                                                        C
                                                          				-		 ommunication	Channels
 •		 ands-on	exercises
   H                                                            P
                                                          				-		 hatbot
                                                          • Virtual	Machine	Attacks
                                                          				-		 etection                           “I loved this course. Not only are there
It is imperative that you get written                           T
                                                          				-		 he	Red	Pill
permission from the proper authority                      				-		 coopy	Doo
                                                                S                                  how-to’s of all of the tools shown, but then
in your organization before using                         				-		 MDetect
                                                                V                                    you get to test them on real systems.”
these tools and techniques on your                        • Virtual	Machine	Defenses
                                                                                                                     -tim Pryor, student
company’s system and also that you                              T
                                                          				-		 ruman
advise your network and computer
operations teams of your testing.

48     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                 To register for SANS NETWORK SECURITY 2008, visit
     “If I were talking about cars, I would say SANS Security 504 goes from zero to 100 in six seconds.
                    You go from zero knowledge to 100% working knowledge in six days.”
                                                                   -rodolfo delgAdo, wmg

504.5 Hands On – Part 4: Computer and Network Hacker Exploits*
Once	intruders	have	gained	access	into	a	system,	they	want	to	keep	that	access	by	
preventing	pesky	system	administrators	and	security	personnel	from	detecting	their	
presence.		To	defend	against	these	attacks,	you	need	to	understand	how	attackers	
manipulate	systems	to	discover	the	sometimes-subtle	hints	associated	with	system	
compromise.		This	course	arms	you	with	the	understanding	and	tools	you	need	to	defend	
against	attackers	maintaining	access	and	covering	their	tracks.	
                                                                                                                              Certified Instructor
Hacking Step 4 – Maintaining Access                            									•		 est	Available	Defenses
                                                                          B                                                   John Strand
 •		 ive	Levels	of	Malicious	Control
   F                                                                           C
                                                               														-		 hkrootkit
                                                                                                                              John	Strand	is	a	SANS	
 				-		 pplication	Level	
       A                                                                       R
                                                               														-		 ootkit	hunter
 									•		 ery	Popular	Bots,	Backdoor	listeners	using	
            V                                                                  R
                                                               														-		 ootkit	revealer                              Certified	Instructor	teaching	
            Netcat	(often	renamed)	and	Tini,	VNC	(virtual	     														-		 lacklight
                                                                               B                                              GCIM,	GCIH,	and	CISSP	
            network	computing),		                                              F
                                                               														-		 alse	Positives
            Sub7	or	subseven,	Back	Orifice	2000                                                                               courses.		He	is	certified	GIAC	
                                                               														-		 ther	Defenses
 									•		 etiri                                                                                                           Gold	in	GCIH	and	GCFW	
                                                               				-		 IOS-level	Alteration:	Chernobyl/CIH
 														-		 tealthy	Backdoor	Access
                                                               				-		 alicious	Microcode	in	CPU	on	the	Horizon               and	a	holder	of	the	CISSP	
 									•		 ackdoor	Wrappers	and	Packers
 									•		 nti-reverse	Engineering	and	Defenses            Hacking Step 5 – Covering the Tracks                            certification.		He	started	
 				-		 ser-mode	Rootkit
       U                                                         H
                                                               •		 iding	In	Linux	and	Windows:	
                                                                                                                              working	in	computer	
 									•		 RK
            L                                                        F
                                                               				-		 ile	Hiding
 									•		 FX	Windows	Rootkit
            A                                                        L
                                                               				-		 og	Editing	(Winzapper)                                 security	with	Accenture	
 									•		 acker	Defender                                         A
                                                               				-		 ccounting	Entry	Editing                                Consulting	in	the	areas	
 				-		 ernel-mode	Rootkit	–	Major	Area	of	Growth
       K                                                         H
                                                               •		 iding	on	the	Network:	
                                                                                                                              of	intrusion	detection,	
 									•		 dore
            A                                                        T
                                                               				-		 unneling	and	Covert	Channels
 									•		 IS
            K                                                        R
                                                               				-		 everse	WWW	Shell	(Hiding	in	Web		                      incident	response,	and	
                                                                     Surfing	Traffic)
 									•		 T	and	FU	Rootkit
            N                                                                                                                 vulnerability	assessment/
                                                               				-		 oki
 									•		 olaris	Rootkits                                                                                                 penetration	testing.		He	
                                                               				-		 overt_TCP
 									•		 uper	User	Control	Kit
 									•		 iding	Processes
                                                               				-		 ushu                                                   then	moved	on	to	Northrop	
                                                               				-		 niffing	Backdoors	(Cdoor)
 									•		 urviving	Across	Reboots
            s                                                                                                                 Grumman,	specializing	in	
                                                               •		 teganography	(S-Tools,	Hydan)
                                                                                                                              DCID	6/3	PL3-PL5	(multi-
504.6 Hands On: Hacker Tools Workshop*                                                                                        level	security	solutions),	
In	this	workshop	you’ll	apply	skills	gained	throughout	the	week	in	penetrating	various	                                       security	architectures,	and	
target	hosts	while	playing	Capture	the	Flag.		Your	instructor	will	act	as	your	personal	                                      program	certification	and	
hacking	coach,	providing	hints	as	you	progress	through	the	game	and	challenging	you	to	
                                                                                                                              accreditation.		He	also	is	a	
break	into	the	laboratory	computers	to	help	underscore	the	lessons	learned	throughout	the	
week.		For	your	own	attacker	laptop,	do	not	have	any	sensitive	data	stored	on	the	system.		                                   consultant	with	Argotek,	
SANS	is	not	responsible	for	your	system	if	someone	in	the	class	attacks	it	in	the	workshop.		                                 Inc.	He	has	a	master’s	
Bring	the	right	equipment	and	prepare	it	in	advance	to	maximize	what	you’ll	learn	and	the	                                    degree	from	Denver	
fun	you’ll	have	doing	it.		
                                                                                                                              University	and	is	currently	
Hands-on exercises                                              H
                                                              •		 acker	War	games                                             also	a	professor	there.		In	
 •		 acking
   H                                                                A
                                                              				-		 	Live-fire	Opportunity	to	Demonstrate	You	
                                                                    Learned	How	to	Use	the	Tools	and	to	Defend	               his	spare	time	he	writes	
 				-		 utting	It	All	Together	in	Two	Major	Real-world	
       Attacks                                                      Against	Their	Use	of:                                     loud	rock	music	and	makes	
 				-		 tealing	Source	Code	From	a	Large	System	
       S                                                                 R
                                                              									•		 econnaissance
       Vendor                                                            S
                                                              									•		 canning                                            various	futile	attempts	at	
 				-		 tealing	Credit	Cards	From	a	Large	Retail	Chain
       S                                                                 E
                                                              									•		 xploiting	Systems	to	Gain	Access                   fly-fishing.
 •		 ewly	Emerging	Hacker	Techniques	and	Near-
   N                                                                     K
                                                              									•		 eeping	Access
   term	Trends	and	How	System	Vendors	Will	                              C
                                                              									•		 overing	Your	Tracks

*This course is available to Security 504 participants only.

Visit for more detailed course descriptions and additional information.           SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   49
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                   The Securing Windows course is a comprehensive
9:00am–5:00pm		•		6	CPE/Day
                                                   curriculum for securing Windows networks.
                                                   This	course	brings	the	confusing	complexity	
                                                   of	Windows	security	into	clear	focus	by	
Who Should Attend
                                                   starting	with	foundational	security	services,	
•		 nyone	who	manages	a	Windows	
  network	                                         such	as	Active	Directory	and	Group	Policy,	
•		 hose	who	want	to	go	beyond	
  T                                                and	advancing	in	a	logical	progression	to	
  their	MCSE	training                              particular	products	or	features	which	rely	on	
•		 nyone	whose	IIS	Web	server	is	in	              these	foundations,	such	as	IIS	and	IPSec.		This	
  danger	of	compromise
                                                   course	provides	best	practices	for	security,	           AUTHoR STATEMENT
•		 nyone	who	is	planning	to	deploy	               hands-on	exercises,	extensive	documentation/
  Active	Directory,	Group	Policy,	                                                                         microsoft             migHt         Be    fA u lt e d    for

  IPSec,	or	a	PKI	                                 screenshots,	a	CD-ROM	of	security	scripts,	and	         mAny tHings, But lAck of AmBition
                                                   an	objective	account	of	Windows	security	               i s d e f i n i t e ly n o t o n e o f t H e m .         Ac-
                                                   (neither	bashing	Microsoft	nor	toeing	the	              tive    d i r e c t o r y , Pki, g r o u P P o l i c y ,
 Get GCWN Certified                                party	line).	                                           user Account control, Bitlocker,

                                                   This	course	will	also	prepare	you	for	the	GIAC	         isA s e r v e r , vPn s ,              e t c ., A l l m A k e

                                                   Certified	Windows	Security	Administrator	               for      A    c o m P l e t e ly       new      windows
                                                   (GCWN)	certification	exam	and	many	of	the	              l A n d s c A P e t H At i s vA s t ly m o r e i n -

                                                   MCSE:	Security	exams	as	well.                           teresting         (And       comPlex) tHAn tHe

                                                                                                           old     w i n d o w s 98/nt                   world.    you
                                                   You	are	encouraged	to	bring	a	Windows	Server	
                                                                                                           cAn       do      some        incrediBle             tHings
   Reinforce what you learned                      2003/2008	Enterprise	Edition	laptop	or	virtual	
                                                                                                           witH     windows            now, And in               secu-
    in training and prove your                     machine	with	you,	but	this	is	not	required.		The	
   skills and knowledge with a                                                                             rity    505       t H At ’ s w H At w e ’ r e g o i n g
        GCWN certification.                        instructor	will	demonstrate	the	skills	discussed	
                                                                                                           to do.       we’ll      see How to set it All
                             in	the	course,	and	the	manuals	include	
                                                                                                           uP     And       secure        it      AgAinst         mAli-
                                                   numerous	screenshots.
                                                                                                           cious insiders And                     internet       HAck-

                                                                                                           ers.    we’ll        A l s o tA l k A lo t A B o u t

                                                                                                           H o w t o A u t o m At e A s m u c H o f t H e
      LAPToP                                                   Is Security 505:
                                                                                                           work As PossiBle                (like         witH   grouP
   RECoMMENDED                                                Securing Windows
                                                                                                           Policy)        s o t H At yo u w o n ’ t H Av e t o
                                                          the correct course for me?                       sPend endless Hours eAcH week do-
    You are encouraged to bring            training/sec505.php
                                                                                                           i n g r e P e t i t i v e tA s k s .   i’ m   c o n s tA n t ly
   a Windows Server 2003/2008
Enterprise Edition laptop or vM with                                                                       u P d At i n g t H e c o u r s e wA r e A n d A d d -
    you, but this is not required.
                                                                                                           ing ne w tools to tHe                    cd-rom            so

                                                      “I would not hesitate to recommend this              t H At w e c A n c o v e r e v e r y t H i n g i m -

                                                                                                           P o r tA n t i n J u s t s i x d Ay s .         i
                                                         course to anyone who administers a                                                                    Promise

                                                                                                           yo u , t H o s e s i x d Ay s w i l l g o B y fA s t !
                                                       Windows system.” -wAlter licHty, PermA
                                                                                                           - JAson fossen

50    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008          To register for SANS NETWORK SECURITY 2008, visit
Securing Windows is an advanced, focused course for system administrators with security responsibilities.
Senior system administrators earn from $45,000 to $90,000. Also, Windows auditors with this level of system
knowledge are highly sought after and earn salaries often 10 - 20% higher than other auditors. This course picks up
where MCSE training stops.

505.1 Hands On: Hands On: Securing Active Directory and DNS
This	course	will	quickly	get	you	on	top	of	what	you	need	to	know	about	Active	Directory	and	domain	controller	
security,	as	well	as	what’s	new	for	AD	in	Server	2008	and	later,	such	as	read-only	domain	controllers	(RODCs)	and	
change	auditing.	The	course	includes	difficult-to-master	topics	such	as	extranet	forest	design	and	delegation	of	IT	
authority	through	AD	permissions.	Note	that	this	course	is	not	an	introduction	to	Active	Directory	or	an	overview	
of	basic	administration	topics.	The	Achilles	Heel	of	Active	Directory	is	DNS,	so	this	course	will	also	discuss	DNS	
security	and	SRV	records.	SRV	records	in	DNS	are	used	for	fail-over	fault	tolerance	and	load-balancing	of	domain	
Topics: 	Securing	Domain	Controllers;	Server	Core;	AD	Access	Control	Lists;	Auditing;	Delegation	of	Authority;	Forest	
       Designs;	Secure	Dynamic	DNS                                                                                                    SANS Faculty Fellow
505.2 Hands On: Secure Configuration Enforcement Through                                                                              Jason Fossen

      Group Policy                                                                                                                    Jason	Fossen	is	a	principal	
Group	Policy	is	a	feature	of	Windows	which	can	be	used	to	reconfigure	virtually	all	security	settings	in	the	                         security	consultant	at	Enclave	
operating	system.		Group	Policy	can	scale	to	thousands	of	hosts,	even	if	they	are	spread	in	different	sites	around	
the	world.	It	is	an	essential	tool	for	enforcing	policy	compliance	(such	as	with	the	SSLF	or	FDCC	templates)	while	                   Consulting	LLC,	a	published	
keeping	costs	down.		Through	Group	Policy	you	can	manage	settings	for	PKI,	the	Windows	Firewall,	IPSec,	wireless,	
BitLocker,	EFS,	auditing/logging,	Software	Restriction	Policies,	Internet	Explorer,	Outlook,	WSUS,	and	much	more.		                   author,	and	a	frequent	public	
This	course	also	covers	patch	management	with	WSUS.
                                                                                                                                      speaker	on	Microsoft	security	
Topics: Group	Policy	Management	Console;	WMI	Filtering;	GPO	Permissions;	Custom	ADM/ADMX	Templates;	Windows	Server	
       Update	Services	(WSUS);	MSI	Software	Packages;	Pushing	Out	Scripts;	Securing	The	Desktop	With	SSLF	Templates                   issues.	He	is	the	sole	author	of	
505.3 Hands On: Windows PKI, EFS, and bitLocker                                                                                       the	SANS	week-long	Securing	
Windows	provides	a	comprehensive	Public	Key	Infrastructure	(PKI)	for	managing	certificates	and	making	their	
use	as	transparent	to	users	as	possible.		Windows	PKI	uses	Active	Directory	to	store	certificates,	Group	Policy	for	
                                                                                                                                      Windows	course	(SEC505),	
hands-free	deployment,	and	a	special	PKI	database	for	private	key	archival	and	recovery.		Everything	you	need	for	                    maintains	the	Windows	
a	full	PKI,	such	as	for	smart	cards,	SSL/TLS,	wireless	WPA	and	VPNs,	is	built	into	Windows	for	free.		The	Encrypting	
File	System	(EFS)	prevents	attackers	from	reading	hard	drive	data,	even	if	they	have	physical	control	of	the	drive,	                  day	of	Security	Essentials	
and	now	you	can	store	your	EFS	key	on	your	smart	card.		BitLocker	provides	sector-level	whole	drive	encryption	
and,	with	an	optional	TPM	chip,	can	verify	boot-up	integrity	too.		BitLocker	key	recovery	can	be	managed	through	                     (SEC401.5),	and	has	been	
Group	Policy,	which	is	important	for	preventing	data	loss	and	allowing	forensics	analysis.	
Topics: PKI	Benefits;	PKI	Installation	and	Management;	Installing	Certificates	Through	Group	Policy;	Certificate	Revocation;	         involved	in	numerous	other	
       How	To	Issue	Smart	Cards;	Encrypting	File	System;	EFS	Key	Recovery;	Managing	BitLocker;	BitLocker	Key	Recovery                 SANS	projects	since	1998.		He	
505.4 Hands On: IPSec, Windows Firewall, RADIUS, Wireless, and VPNs                                                                   graduated	from	the	Univer-
This	course	will	show	you	how	to	secure	communications	on	Windows	using	IPSec	and	the	Windows	Firewall	
(Vista/2008	version)	throughout	the	enterprise	using	Group	Policy.		IPSec	provides	authentication,	integrity	                         sity	of	Virginia,	received	his	
checking,	and	encryption	of	TCP/IP	packets	in	a	way	that	is	transparent	to	users	and	applications.		IPSec	is	tightly	
integrated	into	the	Windows	Firewall,	and	this	host-based	firewall	can	be	managed	through	Group	Policy	in	
                                                                                                                                      master’s	degree	from	the	
Windows	XP	and	later.		In	the	afternoon,	we	will	then	see	how	to	use	IPSec	for	RRAS/TMG	VPNs	and	the	RADIUS	                          University	of	Texas	at	Austin,	
policies	necessary	for	best	practices.		The	Windows	RADIUS	service	can	also	be	used	to	secure	access	to	802.11	
wireless	networks	using	WPA,	PEAP	and	digital	certificates	from	your	PKI,	so	wireless	security	best	practices	will	also	              and	holds	a	number	of	
be	covered.
Topics: 	Configuring	IPSec	Policies	with	Group	Policy;	Group	Policy	Management	of	Windows	Firewall;	Windows	RADIUS	                   professional	certifications.		He	
       Service;	RRAS	Virtual	Private	Networking;	802.1X	and	WPA2;	Wireless	Best	Practices
                                                                                                                                      currently	lives	in	Dallas,	Texas.
505.5 Hands On: Securing Internet Information Server
IIS	7.0	is	the	HTTP/FTP	server	built	into	Windows	Server	2008.	After	attending	this	course	you	will	know	how	to	
install,	configure	and	harden	IIS	against	worms	and	hackers.		IIS	7.0	has	important	new	features,	such	as	a	new	GUI	
management	tool,	ASP.NET	integration,	multiple	XML	configuration	files	instead	of	a	single	metabase,	and	support	
for	FTP	over	SSL	(FTPS).		We’ll	see	how	to	shrink	the	attack	surface	of	IIS	to	make	it	a	harder	target	and	talk	about	              “This is by far the best IT
essential	IIS	concepts	like	impersonation,	worker	processes,	application	pools,	FTPS	versus	WebDAV,	and	request	
filtering.		IIS	7.0	is	not	an	incremental	upgrade	to	IIS	6.0!                                                                     course I’ve taken in 26 years
Topics: Making	an	IIS	Bastion	Host;	Authentication;	SSL/TLS;	Minimal	NTFS	and	IIS	Permissions;	IIS	Modules;	Web	Gardens	
       and	Application	Pools;	Leveraging	IPSec	in	the	DMZ;	FTP	Over	SSL	(FTPS);	Limiting	Damage	From	Compromise                   of federal government time
505.6 Hands On: Windows PowerShell                                                                                                plus my last 5 years in local
Finally!	We’ve	been	waiting	for	years!	PowerShell	is	Microsoft’s	replacement	for	the	old	CMD.EXE	shell.	PowerShell	is	               government. Thanks!”
available	as	a	free	download	for	Windows	XP/2003/Vista	and	is	built	into	Server	2008	and	later	operating	systems	
by	default.	During	the	course	we	will	walk	through	all	the	essentials	of	PowerShell	together.	The	course	presumes	                             -ed gAllAgHer,
nothing,	you	don’t	have	to	have	any	prior	scripting	experience	to	attend.	And,	most	importantly,	be	prepared	to	
have	fun!                                                                                                                          orAnge county And sHeriff’s office
Topics: PowerShell	Cmdlets;	Piping	Objects;	Regular	Expressions;	Functions	and	Filters;	The	.NET	Class	Library;	Using	
       Properties	and	Methods	at	the	Command	Line;	Accessing	COM	Objects:	WMI,	ADSI,	ADO,	etc.;	Security	and	
       Execution	Policy;	And	lots	of	sample	scripts	to	walk	through

Visit for more detailed course descriptions and additional information.                   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   51
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                    Experience in-depth coverage of
9:00am–5:00pm		•		6	CPE/Day
                                                    Unix security issues.
                                                    Examine	how	to	mitigate	or	eliminate	general	
Who Should Attend                                   problems	that	apply	to	all	Unix-like	operating	
•		 ecurity	professionals	seeking	to	
  S                                                 systems,	including	vulnerabilities	in	the	
  learn	the	basics	of	securing	Unix/                password	authentication	system,	file	system,	
  Linux	operating	systems
                                                    virtual	memory	system,	and	in	common	
•		 xperienced	administrators	
  looking	for	in-depth	descriptions	                network	protocols	such	as	NFS,	NIS,	and	the	
  of	attacks	on	Unix/Linux	systems	                 Unix	RPC	mechanism.		Learn	the	exact	steps	
  and	how	they	can	be	prevented
                                                    necessary	to	secure	the	two	most	common	Unix	
•		 dministrators	needing	
  A                                                                                                            AUTHoR STATEMENT
  information	on	how	to	secure	                     flavors,	Solaris	and	Linux,	and	get	specific	advice	
                                                                                                               A    wise mAn once sAid ,             “H ow   Are you
  common	Internet	applications	on	                  for	securing	some	of	the	most	common	Internet	
  the	Unix/Linux	platform                                                                                      going to leArn Any tHing if you know
                                                    services	on	the	Unix	platform,	including	Apache,	
•		 dministrators	looking	for	an	                                                                              every tHing AlreAdy ?”             A nd   yet tHere
  introduction	to	best-of-breed	
                                                    WU-FTPD,	Sendmail,	and	BIND.
                                                                                                               seems to Be A Quiet ArrogAnce in tHe
  hardening	and	testing	tools
                                                    Throughout	this	course,	you	will	become	                   u nix    communit y tHAt we ’ ve figured
•		ndividuals	with	operational	
  responsibility	for	a	firewall,	VPN,	or	           skilled	at	utilizing	freely	available	tools	to	            out All of our securit y ProBlems , As
  Internet	facing	device                            handle	security	issues	such	as	SSH,	AIDE,	                 if to sAy “ Been tHere , done tHAt .”               A ll
                                                    sudo,	lsof,	and	many	others.		SANS’	practical	             i   cAn sAy is tHAt wHAt keePs me going

                                                    approach	with	hands-on	exercises	every	day	                in tHe   u nix   field , And tHe securit y in -
  Get GCUX Certified
                                                    ensures	that	you	can	start	using	these	tools	              dustry in PArticulAr , is tHAt tHere is

                                                    as	soon	as	you	return	to	work.		We	will	also	              AlwAys sometHing new to leArn , dis -

                                                    put	these	tools	to	work	in	a	special	section	              cover , or invent . i n          15   Plus yeArs on

                                                    that	covers	simple	forensic	techniques	for	                tHe JoB , wHAt     i’ ve leArned is How mucH
                                                    investigating	compromised	systems.                         more tHere is tHAt           i   cAn leArn .   i   tHink

                                                                                                               tHis is Also true for tHe students

   Reinforce what you learned                                                                                  in my courses .         i   regulArly get com -
    in training and prove your                                           PREREqUISITE                          ments BAck from students tHAt sAy
   skills and knowledge with a                            Students must possess at least a working
        GCUX certification.                                                                                    tHings like ,    “i’ ve     Been using    u nix     for
                                                       knowledge of Unix. Most students who attend
                                                                                         20    yeArs And     i   still leArned A lot in
                                                      the course have a minimum of three to five years
                                                      of Unix system administration experience. To test        tHis clAss .”    t HAt ’ s       reAlly rewArding .

                                                      your knowledge see our Unix Knowledge quiz at            - H Al P omerAnz
     REqUIRED                                                  “It opened my eyes to a whole slew of issues.
                                                                        This will have impact as soon as I am back to work.”
                                                                                         -frescH, guArAnty BAnk

52     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008             To register for SANS NETWORK SECURITY 2008, visit
Securing Unix/Linux is an advanced, focused course for system administrators with security responsibilities. Senior
system administrators earn from $45,000 to $90,000. Unix auditors with this level of system knowledge are highly sought
after. They can earn salaries often 10-20% higher than other auditors. According to the “2003 IT Market Compensation
Study,” IT organizations report that skilled Unix administrators are one of the two most difficult positions to fill.

506.1 Hands On: Common Issues and Vulnerabilities
This	course	provides	in-depth	coverage	of	Unix-specific	security	issues	with	an	overview	of	the	
most	common	issues	and	vulnerabilities	facing	Unix	security	professionals	both	past	and	present.	In	
addition	to	analyzing	each	vulnerability	and	its	associated	risks,	the	course	makes	recommendations	
on	living	with	(or	sometimes	living	without!)	the	given	service.		This	is	a	full-disclosure	course	with	
in-class	demos	of	actual	exploits	and	hands-on	exercises	to	experiment	with	various	examples	of	
malicious	software.
Topics: Remote	Attacks;	Memory	Attacks	and	Overflows;	The	Untrustworthy	File	System;	Programmatic	Attacks;	Trojan	                   SANS Faculty Fellow
       Horse	Programs;	Passwords	Attacks;	Physical	Issues                                                                            Hal Pomeranz

506.2 Hands On – Part 1: Hardening Unix/Linux Systems                                                                                Hal	is	founder	and	CEO	
                                                                                                                                     of	Deer	Run	Associates,	a	
This	course	is	a	simple	step-by-step	recipe	for	building	a	hardened	Unix	server	platform.		While	
focusing	primarily	on	Linux	and	Solaris	syntax,	the	course	contains	valuable	lessons	and	strategies	for	                             systems	management	and	
administrators	of	any	Unix-like	operating	system.		Students	get	a	chance	to	practice	these	techniques	                               security	consulting	firm.		He	
hands	on	using	their	own	laptops.
Topics: Installation;	Boot-Time	Configuration;	Kernel	Tuning	For	Security;	File	System	Access	Control;	Logging;	User	Access	         has	spent	more	than	15	
       Control;	Warning	Banners		                                                                                                    years	managing	systems	

506.3 Hands On – Part 2: Hardening Unix/Linux Systems                                                                                and	networks	for	some	of	
                                                                                                                                     the	largest	commercial,	
This	course	takes	a	more	in-depth	look	at	additional	tools	required	for	hardening	Unix/Linux	
operating	systems.		This	includes	Open	Source	tools,	like	AIDE	and	sudo,	and	network	access	control	                                 government,	and	academic	
utilities	like	TCP	Wrappers,	IP	Filter,	and	Portsentry.		Students	will	get	the	opportunity	to	practice	and	                          organizations	in	the	country.		
experiment	with	these	tools	in	class	so	that	they	can	be	ready	to	start	using	them	as	soon	as	they	
return	to	work.	                                                                                                                     He	is	the	technical	editor	for	
Topics: SSH	Basics;	AIDE;	Sudo;	TCP	Wrappers;	IP	Filter;	Portsentry                                                                  SysAdmin Magazine	and	was	
                                                                                                                                     the	recipient	of	the	2001	
506.4 Hands On: Unix/Linux in the Enterprise                                                                                         SAGE	Outstanding	Achieve-
In	the	typical	enterprise,	secure	Unix/Linux	machines	live	within	a	framework	of	network	services	that	
allow	administrators	to	handle	installation,	auditing,	and	logging	in	a	reasonably	automated	fashion.		                              ment	award	for	his	teaching	
This	course	looks	at	useful	tools	and	techniques	for	creating	central	logging	servers	and	monitoring	                                and	leadership	in	the	field	
them	for	suspicious	behavior,	keeping	system	clocks	in	sync,	and	securely	building	and	auditing	Unix/
Linux	systems.	Students	will	be	given	the	opportunity	to	practice	with	these	tools	during	in-class	labs.                             of	system	administration.	
Topics: 	SSH	Tips	and	Tricks;	Centralized	Logging	With	Syslog-NG;	Log	Monitoring;	NTP	for	Network	Time	Sync;	Security	               Hal	participated	in	the	first	
       Auditing	Tools;	Automated	Installation	Tools
                                                                                                                                     SANS	training	program	and	

506.5 Hands On: Running Applications Securely                                                                                        designed	the	SANS	Step-
This	course	is	a	full	day	of	in-depth	analysis	on	how	to	manage	some	of	the	most	popular	application-                                by-Step	course	model.		He	
level	services	securely	on	a	Unix	platform.		We	will	tackle	the	practical	issues	involved	with	securing	                             is	a	top-rated	instructor	and	
four	of	the	most	commonly	used	Internet	servers	in	the	Unix	realm:	BIND,	Sendmail,	Apache,	and	
WU-FTPD.		Students	will	get	the	opportunity	to	actually	implement	the	techniques	covered	in	class	                                   author	on	topics	ranging	
including	setting	up	chroot()ed	jails	for	various	services.		                                                                        from	information	security	to	
Topics: BIND;	Sendmail;	WU-FTPD;	Apache                                                                                              system	and	network	manage-

506.6 Hands On: Digital Forensics for Unix/Linux                                                                                     ment	to	Perl	programming.

This	hands-on	course	is	designed	to	be	an	information-rich	introduction	devoted	to	basic	forensic	
principals	and	techniques	for	investigating	compromised	Unix/Linux	systems.		At	a	high	level,	it	
introduces	the	critical	forensic	concepts	and	tools	that	every	administrator	should	know	and	provides	a	
real-world	compromise	for	students	to	investigate	using	the	tools	and	strategies	discussed	in	class.			
Topics: Tools	Throughout;	Forensic	Preparation	and	Best	Practices;		Incident	Response	and	Evidence	Acquisition;		
       Media	Analysis;	Incident	Reporting

Visit for more detailed course descriptions and additional information.                  SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   53
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008
                                                   Unpatched, unprotected computers connected to the
9:00am–5:00pm		•		6	CPE/Day                        Internet are compromised in less than three days.
                                                   Traditional	Internet-based	crime	is	not	the	
                                                   only	reason	to	perform	computer	forensics.		
                                                   Government	regulations	and	organizational	
Who Should Attend                                  policy	might	require	computer	forensic	
•		 nyone	ready	to	understand	how	
  computer	forensics	and	incident	                 investigators	to	perform	system	forensics	to	
  response	are	practiced	by	the	                   investigate	intellectual	property	theft,	harassment,	
  people	who	actually	do	this                      and	regulatory	compliance.		Investigators	
•		nformation	security	consultants	                must	master	a	variety	of	operating	systems,	
  who	would	like	to	make	it	in	the	
  forensic	field                                   investigation	techniques,	incident	response	
•		 aw	enforcement	personnel	seeking	
  L                                                tactics,	and	even	legal	issues	in	order	to	solve	
  to	take	their	technical	skills	to	the	           their	cases.		The	Computer	Forensics,	Investigation,	                         AUTHoR STATEMENT
  next	level                                       and	Response	course	will	teach	you	forensic	                                  sAns       comPuter               forensics
•		 orensic	analysts	who	want	to	learn	
                                                   techniques	and	tools	in	a	hands-on	setting	for	                               grAduAte tHwArts BAnk Heist.
  how	to	forensically	recover	and	
  analyze	data	without	relying	on	a	               both	Windows-	and	Linux-based	investigations.		                               H eAdlines    similAr to tHese Are now
  tool	to	automatically	accomplish	                This	course	emphasizes	a	hands-on	approach	
  the	task                                                                                                                       A reAlity As former students HAve e -
                                                   so	you	will	learn	in-depth	open	source	and	
•		 ubject	matter	experts	who	want	to	             commercial	forensic	tool	functionality	and	how	to	                            mAiled me regulArly ABout How tHey
  be	able	to	explain	how	evidence	can	
  be	recovered	in	a	legal	setting                  exploit	their	capabilities	in	a	variety	of	case	types.                        were ABle to use tHeir forensic skills in

•		 -Discovery	personnel	tasked	with	
  e                                                                                                     very reAl situAtions . g rAduAtes from
                                                   Beginning	with	fundamental	forensic	concepts,	
  collecting	and	analyzing	e-mail	and	                                                                  c omPuter f orensics , i nvestigAtion ,
                                                   such	as	the	file	system	structures	of	Windows	
                                                   and	Linux,	the	content	and	difficulty	level	of	      And r esPonse Are tHe front line trooPs

                                                   this	course	advance	rapidly	to	include	evidence	     dePloyed wHen incidents occur . k now -
                                                   acquisition,	hash	database	comparisons,	and	full	
  Get GCFA Certified                               and	partial	file	recovery	and	analysis.		Learning	
                                                                                                        ing tHAt tHis course PlAces tHe correct

                                                                                                        metHodology And knowledge in tHe
                                                   more	than	just	how	to	use	a	forensic	tool,	you	will	
                                                                                                        HAnds of resPonders wHo tHwArt tHe
                                                   be	able	to	demonstrate	how	the	tool	functions	
                                                   step	by	step.	You	will	become	skilled	with	diverse	 PlAns of criminAls or foreign cyBer At -
                                                   tools,	such	as	the	Sleuthkit,	Foremost,	and	the	     tAcks Brings me greAt comfort . g rAdu -

                                                   HELIX	Forensics	Live	CD.		You	will	rapidly	move	     Ates Are doing it . d Aily . i Am Proud
                                                   on	to	advanced	forensic	and	investigation	           tHAt tHe c omPuter f orensics , i nvesti -
                                                   analysis	topics	and	techniques.		This	SANS	          gAtion , And r esPonse course At sAns
   Reinforce what you learned                      hands-on	technical	course	arms	you	with	a	deep	
    in training and prove your                                                                          HelPed PrePAre tHem to figHt And solve
                                                   understanding	of	the	forensic	methodology,	tools,	
   skills and knowledge with a                                                                          crime . - r oB l ee
                                                   and	techniques	to	successfully	solve	even	the	
         GCFA certification.
                                                   most	difficult	case.

                                                   The SIFT Toolkit consists of:                                                   PREREqUISITES: This advanced course is
                                                                                                                                   perfect for the diligent student conversant
                                                   • Hard Drive USB evidence acquisition kit for SATA/IDE hard drives
                                                                                                                                   with Linux system administration, Windows
                                                                                                                                   system administration, TCP/IP, and intrusion
      LAPToP                                       • Licensed copy of HELIX 2.0 incident response & computer forensics live CD     detection methodologies. If you are just
                                                   • SANS VMware based Forensic analysis workstation equipped to                   beginning in information security, this course
     REqUIRED                                        investigate forensic data                                                     is not appropriate for you as the basics of the
                                                   • Course DVD loaded with case examples, tools, and documentation                Linux and Windows operating systems will
                                                   • Best-selling book File System Forensic Analysis by Brian Carrier              not be covered in this program.

54    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008                       To register for SANS NETWORK SECURITY 2008, visit
Computer Forensics, Investigation, and Response is one of SANS’ most advanced and
challenging courses. People with GCIA and GCFA certifications often land some of the most challenging jobs in
information security. They have solved crimes that have appeared on the evening news.

508.1 Hands On: Forensic and Investigative Essentials*
Investigating	incidents	from	intellectual	property	theft,	computer	abuse,	and	intrusions,	this	hands-on	forensic	
course	will	arm	you	with	the	methods	and	tools	to	respond	to	and	investigate	any	event	in	your	workplace.		This	
course,	designed	to	provide	a	jump	start	for	new	forensic	investigators,	fills	in	the	gaps	for	more	experienced	
security	personnel.		File	systems	are	the	core	of	your	understanding	of	computer	forensics.		As	every	forensic	
tool	utilizes	this	knowledge,	you	will	learn	how	hard	drives	are	used	to	store	data	from	the	partitioning	to	how	
file	systems	work.		The	day	will	conclude	with	discussion	on	the	internals	to	the	most	common	file	systems	
encountered	in	forensics	Windows	(NTFS	and	FAT)	and	Linux	(Ext2/3).
Topics: 	Forensic	Definitions;	Incident	Response	and	Forensics;	Core	Forensic	Methodology;	File	System	Essentials                     SANS Faculty Fellow
508.2 Hands On – Part 1: Forensic Methodology Illustrated*                                                                            Rob Lee
                                                                                                                                      Rob	Lee	is	a	principal	consul-
Investigators	utilize	a	core	forensic	methodology	applied	in	every	case	type.		For	example,	being	able	to	analyze	
a	live	machine	is	critical	to	a	forensic	investigator’s	skills.		Part	of	the	DVD	courseware	includes	a	hacked	VMware	                 tant	for	MANDIANT,	a	leading	
machine	that	was	suspended	immediately	after	being	compromised	that	you	can	test	your	incident	response	and	                          provider	of	information	security	
evidence	collection	skills	on.		You	will	learn	how	to	minimize	damage	to	the	evidence	of	the	live	machine	and	how	
                                                                                                                                      consulting	services	and	soft-
to	acquire	volatile	evidence	from	the	machine.		Finally,	you	will	learn	how	to	image	a	hard	drive	as	evidence	and	
maintain	evidence	integrity	through	a	variety	of	methods	using	the	SIFT	kit.                                                          ware	to	Fortune	500	organiza-
Topics: Incident	Response	and	Evidence	Gathering;	Timeline	Analysis;	Evidence	Imaging	and	Examination                                 tions	and	the	U.S.	Government.		

508.3 Hands On – Part 2: Forensic Methodology Illustrated*                                                                            Rob	has	over	11	years’	experi-
                                                                                                                                      ence	in	computer	forensics,	
As	a	forensic	investigator,	it	is	important	to	understand	multiple	ways	to	find	and	recover	data	from	collected	
evidence.	You	will	learn	how	to	perform	string	searches	looking	for	an	email	address	or	bytes	found	at	the	                           vulnerability	discovery,	intru-
beginning	of	a	zip	file	in	order	to	recover	the	pertinent	data	from	your	evidence.		Performing	hash	database	                         sion	detection,	and	incident	
comparisons	and	file	type	sorting	is	also	a	very	powerful	way	to	help	narrow	the	focus	of	an	investigator.		Finally,	
you	will	learn	how	an	automated	toolkit	works	to	help	you	speed	up	the	process	of	an	investigation	using	the	
                                                                                                                                      response.		A	graduate	from	the	
Autopsy	Forensic	Browser.		We	will	discuss	how	similar	commercial	tools	perform	the	same	functionality.                               U.S.	Air	Force	Academy,	Rob	
Topics: 	Filesystem	Forensics;	Forensic	Toolkits;	Hash	Comparisons;	Media	Analysis;Creating	Advanced	Timelines;	Autopsy	              served	in	the	U.S.	Air	Force	as	
       Forensic	Browser	
                                                                                                                                      a	founding	member	of	the	
508.4 Hands-On: Windows File System Forensics*                                                                                        609th	Information	Warfare	
Investigations	involving	Windows-based	operating	systems	occur	frequently.		For	this	reason,	it	is	essential	to	study	                Squadron,	the	first	U.S.	military	
and	examine	in-depth	the	forensic	evidence	left	on	Windows-based	file	systems.		This	course	covers	Microsoft	
                                                                                                                                      operational	unit	focused	on	
Windows	2000,	Windows	XP,	Windows	2003,	and	the	new	Windows	VISTA.	Even	though	they	all	use	NTFS	or	FAT	for	
the	filesystem,	each	one	is	different	there	are	some	variations	on	the	type	of	forensic	data	that	might	be	found	on	                  Information	Operations.	Later,	
each	operating	system.	You	will	learn	how	to	analyze	the	Windows	recycle	bin,	the	registry,	and	even	the	Windows	                     he	was	a	member	of	the	Air	
prefetch	in	addition	to	learning	how	file	metadata	might	be	discovered	in	the	Internet	Explorer	history	files	as	well	
                                                                                                                                      Force	Office	of	Special	Investi-
as	Microsoft	Office	Documents.	
Topics: 	Windows	Live	System	Incident	Verification;	Windows	Evidence	Collection;	Windows	Media	Analysis	and	                          gations	where	he	conducted	
       Examination;	Registry	and	Information	                                                                                         computer	crime	investigations	
508.5 Computer Investigative Law for Forensic Analysts*                                                                               and	computer	forensics.		Prior	to	
Legal	issues,	especially	liability,	remain	foremost	in	the	mind	of	an	incident	handler	or	forensic	investigator.		As	a	result,	       joining	MANDIANT,	he	worked	
this	class	generates	more	discussion	than	does	any	other	class	we	offer.		Learn	to	minimize	the	risk	for	legal	trouble	               on	contracts	for	a	variety	of	
while	investigating	incidents.	This	course	is	not	designed	for	management,	but	for	the	individuals	actually	performing	               government	agencies,	where	
a	computer-based	investigation.		The	content	focuses	on	challenges	that	every	investigator	needs	to	understand	be-
fore,	during,	and	post	investigation.		Since	most	investigations	could	potentially	bring	a	case	to	either	a	criminal	or	civil	        he	was	the	technical	lead	
courtroom,	it	is	essential	for	you	to	understand	how	to	perform	a	computer-based	investigation	legally	and	ethically.                 for	a	vulnerability	discovery	
Topics: Defending	Your	Network;	Law	Enforcement;	Collecting	Evidence	for	Trial;	Law	Enforcement	and	You                               team,	contractor	lead	for	cyber	
508.6 Hands On: Advanced Forensics and the Forensic Challenge*                                                                        forensics	branch,	and	led	a	
Applications	will	potentially	store	data	just	from	their	installation,	execution,	and	general	use	on	the	file	system	and	             security	software	development	
memory.		The	evidence	trail	created	by	these	programs	could	be	a	treasure	trove	of	crucial	data	that	might	make	or	break	             team.		Rob	also	coauthored	the	
your	case.		You	will	learn	how	to	utilize	advanced	analysis	techniques	to	discover	where	you	might	find	and	uncover	cru-              bestselling	book,	Know Your
cial	evidence.		During	the	final	part	of	the	class,	you	will	employ	the	techniques	learned	throughout	the	week	in	a	system-
atic	hands-on	investigation	case.		You	will	analyze	a	real-world	compromised	system	collected	by	the	Honeynet	Project	                Enemy,	2nd	Edition.		In	addition	
and	have	the	chance	to	discover	who	the	suspect	is	online		using	the	investigative	methodology	learned	in	the	course.                 to	working	for	MANDIANT	and	
Topics: Application	Footprinting	and	Analysis;	Process	Wiretapping;	The	Forensic	Challenge	                                           SANS,	Rob	is	currently	pursuing	
*This course is available to Security 508 participants only.                                                                          his	MBA	at	Georgetown	Univer-
                                                                                                                                      sity	in	Washington	DC.

Visit for more detailed course descriptions and additional information.                   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   55
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                   Experts agree that Oracle is one of the most complex
9:00am–5:00pm		•		6	CPE/Day                        software packages available today.
                                                   Unfortunately,	such	complexity	often	introduces	
                                                   vulnerabilities	that	are	being	increasingly	targeted	by	
Who Should Attend                                  attackers.		It’s	not	uncommon	for	the	SANS	Internet	
•		 racle	database	administrators	
                                                   Storm	Center	to	see	hundreds	of	thousands	of	hack	
  responsible	for	installation	and	
  management	of	Oracle	databases                   attempts	against	Oracle	databases	each	month.	
•		 evelopers	who	wish	to	create	
                                                   SANS	recognized	the	need	for	comprehensive	Oracle	
  secure	data	access	applications	and	
  Web	sites                                        security	training	to	help	organizations	protect	their	  AUTHoR STATEMENT
•		 ecurity	professionals	who	are	
  S                                                most	critical	information	resources.		We	sought	out	    o rAcle is one of tHe most excit -
  concerned	about	the	security	
                                                   one	of	the	world’s	foremost	experts	in	Oracle	security	 ing And cHAllenging dAtABAses
  of	their	organization’s	Oracle	
  databases                                        to	develop	a	course	that	would	clearly	illustrate	      tHAt exist . w Hen it comes to se -
•		 uditors	and	penetration	testers	
  A                                                mechanisms	to	secure	and	audit	Oracle	databases.		      curing An o rAcle dAtABAse , tHere
  who	need	to	evaluate	the	security	of	
                                                   In	this	course	author	Tanya	Baccam	leads	students	      Are mAny cHAllenges tHAt Admin -
  Oracle	databases
•		 ecurity	managers	who	need	to	                  through	the	process	of	securing	Oracle	by	defining	     istrAtors And securit y Profes -
  understand	the	security	risks	with	              the	risks	to	data,	using	auditing	techniques	for	       sionAls will fAce . t His course is
  data	held	in	an	Oracle	database
                                                   detecting	unauthorized	access	attempts,	using	Oracle	 designed to Be A fully comPre -
                                                   access	controls	and	user	management	functions,	and	 Hensive And intense introduc -
                                                   developing	reliable	backup	and	restore	processes	as	 tion to PlAnning , Auditing , And
  Get GSoC Certified                               well	as	techniques	to	secure	Oracle	applications	and	 securing An o rAcle dAtABAse . t He
                                                   the	Oracle	Application	Server.                          course doesn ’ t Just mention tHe

                                                                                                                vulnerABilities ,       But     it   exPlAins
                                                   Throughout	the	course,	which	includes	public	and	
                                                                                                                wHy tHe issues mAy exist And How
                                                   unreleased	techniques	used	to	compromise	the	
                                                                                                                tHey could Be leverAged By An At -
                                                   integrity	of	the	database	or	escalate	a	user’s	privilege,	
                                                                                                                tAcker .    t His    Aids tHe student in
                                                   students	will	be	exposed	to	the	Oracle	database	as	
                                                                                                                tHinking like An At tAcker , wHicH
                                                   seen	through	the	eyes	of	an	attacker.		In	this	fashion,	     needs to Be done to Protect tHe
   Reinforce what you learned                      students	gain	a	better	understanding	of	how	an	              dAtABAses .         s tudents    Are   often
    in training and prove your                     attacker	sees	a	database	as	a	target,	and	how	the	           AmAzed At How mAny different
   skills and knowledge with a
                                                   database	can	be	configured	to	be	resistant	to	known	         wAys tHere Are for An At tAcker
         GSoC certification.
                             and	unknown	attacks.		The	course	covers	versions	of	         to comPromise An            o rAcle    dAtA -
                                                   Oracle	up	to	and	including	10g	on	Unix	or	Windows	           BAse .    u ltimAtely ,   tHe goAl is to
                                                   operating	systems.                                           teAcH How to Protect one of tHe

                                                                                                                most      imPortAnt       orgAnizAtionAl

      LAPToP                                        PREREqUISITE
                                                                                                                Assets     –   tHe dAtA .   d AtA    Provides

                                                                                                                informAtion ,
     REqUIRED                                       The course assumes students have basic SqL                                        informAtion      leAds                          and PL/SqL skills as well as an understanding of            to      knowledge ,       And   knowledge
       laptop/sec509.php                            the oracle database architecture and features.              is Power in tHe Business world .
                                                    Students should be familiar with configuring                t His    course is An exciting And in -
                                                    software such as the oracle client and be able to           teresting Journey on Protecting
                                                    read and understand simple shell scripts for Unix           tHis criticAl orgAnizAtionAl Asset !
                                                    or Windows systems.
                                                                                                                -t AnyA B AccAm

56    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008           To register for SANS NETWORK SECURITY 2008, visit
Securing oracle gives students a solid grounding in how to audit and secure an oracle database installation.
Students will develop the ability to define and implement solid robust oracle security standards and policies and
learn to specify or create useful tools to audit an oracle database and understand how to secure it.

509.1 Hands On: Securing Oracle Foundations*
Students	are	introduced	to	various	techniques	used	by	an	attacker	to	compromise	the	database	includ-
ing	buffer	overflows,	SQL	injection	attacks,	exploiting	Oracle	stored	procedures,	and	cross-site	scripting	
attacks.		We	also	look	at	the	process	of	installing	the	database	in	a	secure	fashion	after	hardening	the	host	
operating	system	with	strong	filesystem	permissions.
Topics: Securing	Oracle;	Foundations;	Oracle	Attack	Vectors;	Attacking	Oracle;	Host	Operating	System	Security;		
       Hunting	for	Passwords

509.2 Hands On: Securing Oracle’s Authentication Process*                                                                            Senior Instructor
The	Oracle	authentication	process	is	examined	including	single	sign-on	and	unified	authentication	with	
LDAP	or	the	Oracle	Internet	Directory	product.		We	also	explore	Oracle	default	user	accounts,	roles,	and	                            Tanya Baccam
grants	including	audit	techniques	to	identify	user	accounts	with	weak	passwords	using	password	cracking	                             Tanya	is	a	senior	SANS	
techniques.		Auditing	user	accounts	and	application	schema	accounts	are	also	discussed	in	detail	covering	                           instructor	as	well	as	a	SANS	
third	party	authentication,	shared	accounts,	and	proxy	users	embedded	accounts	implemented	in	3rd	party	
applications.		The	day	concludes	with	a	complete	discussion	of	password	management	including	enforcing	                              courseware	author.		She	
and	creating	a	password	management	policy	and	utilizing	profiles	to	control	access	to	database	resources.                            also	provides	many	security	
Topics: Authentication	Methods;	Default	Users	and	Password	Audits;	Schema	and	Application	Owners;	Implementing	
       Password	Management	                                                                                                          consulting	services	for	clients,	
                                                                                                                                     such	as	system	audits,	vulner-
509.3 Hands On: Oracle Access Controls – Configuration*                                                                              ability	and	risk	assessments,	
This	day	examines	techniques	that	can	be	used	to	deploy	access	control	mechanisms	in-depth	by	
protecting	database	objects.		We	also	cover	many	of	the	countless	database	configuration	options	with	                               database	assessments,	Web	
recommendations	that	make	the	database	more	resistant	to	common	attacks.		The	final	part	of	the	day	                                 application	assessments,	
is	dedicated	to	the	problems	associated	with	the	growing	number	of	PUBLIC	privileges	including	the	
                                                                                                                                     and	penetration	testing.	
techniques	authenticated	users	can	use	to	escalate	their	privilege	levels.	
Topics: Access	and	Output;	Roles	and	Users;	Configuration;	PUBLIC	Privileges,	Profiles,	Packages	and	Objects                         She	has	previously	worked	

509.4 Hands On: Auditing Oracle*                                                                                                     as	the	director	of	assurance	
This	day	delves	into	auditing	the	Oracle	environment.		We’ll	examine	the	built-in	Oracle	auditing	features	                          services	for	a	security	services	
including	the	new	enhancements	to	Fine	Grain	Auditing.		Forensic	assessment	of	Oracle	databases	is	also	                             consulting	firm,	as	well	as	
covered	in	this	day	including	data	recovery	and	retracing	the	steps	of	an	attacker.		If	your	organization	                           manager	of	infrastructure	
is	encumbered	by	federal	restrictions	in	information	management	such	as	HIPAA	or	GLBA,	this	day	will	
provide	vital	information	that	you	can	deploy	immediately	after	completing	this	course.                                              security	for	a	healthcare	orga-
Topics: 	Oracle	Auditing	-	Myths	and	Facts;	Reviewing	the	Audit	Trail;	Oracle	Auditing	-	Myths	and	Facts;	Reviewing	the	Audit	       nization.		She	also	served	as	a	
       Trail;	Forensics;	Fine	Grained	Audit	Forensics;	Fine	Grained	Auditing
                                                                                                                                     manager	at	Deloitte	&	Touche	
509.5 Hands On: Networking, backups, SQL*Plus, and an                                                                                in	the	Security	Services	prac-
      Introduction to OracleAS*                                                                                                      tice.		Throughout	her	career	
The	Oracle	listener	is	usually	the	first	recipient	of	attacks	from	adversaries	seeking	to	compromise	the	                            she’s	consulted	with	many	
database.		This	day	covers	networking	topics	associated	with	the	database	including	securing	the	listener	
configuration	and	network	design	recommendations	for	the	database	and	administrative	workstations.	                                  clients	about	their	security	
The	day	continues	to	discuss	the	challenges	of	backup	and	restore	of	the	database	including	redo	logs	                               architecture,	including	areas	
and	database	mirroring	and	media	storage	and	destruction.		We	conclude	the	day	by	looking	at	tech-
                                                                                                                                     such	as	perimeter	security,	
niques	to	secure	the	SQL*Plus	and	iSQL*Plus	tools	including	techniques	to	enforce	and	restrict	the	use	of	
specific	applications	that	are	allowed	to	connect	to	the	database.	                                                                  network	infrastructure	
Topics: Auditing	the	Oracle	Listener;	Network	Access	to	Oracle;	Database	Backup	and	Recovery;	Restricting	Developer	and	             design,	system	audits,	Web	
       Access	Tools
                                                                                                                                     server	security,	and	database	
509.6 Hands On: Securing Applications*                                                                                               security.	She	has	played	an	
End-user	tools	created	with	PL/SQL	and	Java	can	introduce	their	own	security	risks.		This	day	covers	secure	
programming	for	the	database	including	protecting	source	confidentiality	and	integrity	and	setting	resource	
                                                                                                                                     integral	role	in	developing	
limits	to	prevent	denial	of	service	attacks.	In	addition,	we	look	at	encrypting	data	and	issues	with	tools	such	as	                  multiple	business	applica-
debuggers.		We	also	look	at	the	most	visible	Web-facing	components	of	the	database	and	cover	some	of	the	                            tions	and	currently	holds	the	
main	security	issues	of	the	Oracle	application	server.		The	final	module	of	this	intense	day	covers	where	we	
think	Oracle	security	is	going,	exploring	early	techniques	in	the	design	of	viruses	and	worms	specific	to	Oracle.	                   CPA,	GCFW,	GCIH,	CISSP,	CISM,	
Topics: Oracle	Programming	Issues;	Controlling	Applications;	Application	Internals;	Exercising	Control;	Introduction	to	             CISA,	CCNA,	CCSE,	CCSA,	and	
       Securing	iAS;	Oracle	Security	Future
                                                                                                                                     Oracle	DBA	certifications.
*This course is available to Security 509 participants only.

Visit for more detailed course descriptions and additional information.                  SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   57
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008
                                                    Find Security Flaws Before the Bad Guys Do.
9:00am–5:00pm		•		6	CPE/Day
                                                    Security	vulnerabilities,	such	as	weak	configura-
                                                    tions,	unpatched	systems,	and	botched	architec-
                                                    tures,	continue	to	plague	organizations.		Enter-
IMPORTANT NOTE: SANS Security 560 is                prises	need	people	who	can	find	these	flaws	in	a	
one of the most technically rigorous
courses offered by the SANS Institute.              professional	manner	to	help	eradicate	them	from	
Attendees are expected to have a working            our	infrastructures.		Lots	of	people	claim	to	have	
knowledge of TCP/IP, cryptographic routines         penetration	testing,	ethical	hacking,	and	security	
such as DES, AES, and MD5, and the Windows
and Linux command lines before they step
                                                    assessment	skills,	but	precious	few	can	apply	these	
into class. Although SANS Security 401              skills	in	a	methodical	regimen	of	professional	test-
(Security Essentials) and SANS Security 504         ing	to	help	make	an	organization	more	secure.		This	
(Hacker Techniques, Exploits, and Incident          class	covers	the	ingredients	for	successful	network	        AUTHoR STATEMENT
Handling) are not pre-requisites for SEC560,
these courses cover the groundwork that             penetration	testing	to	help	attendees	improve	              successful           P e n e t r At i o n    testers
all SEC560 attendees are expected to know.          their	enterprise’s	security	stance.                         don’t       Just     tHrow        A     BuncH         of
While SEC560 is technically in-depth, it is
important to note that programming knowl-           We	address	detailed	pre-test	planning,	including	           HAcks       AgAinst        An     o r g A n i z At i o n
edge is NOT required for the course.                setting	up	an	effective	penetration	testing	infra-          A n d r e g u r g i tAt e t H e o u t P u t o f
                                                    structure	and	establishing	ground	rules	with	the	
                                                                                                                tHeir tools.           insteAd,
Who Should Attend                                   target	organization	to	avoid	surprises	and	misun-
                                                                                                                                                        tHey need

•		 ecurity	personnel	whose	                        derstanding.		Then	we	discuss	a	time-tested	meth-
                                                                                                                t o u n d e r s tA n d H o w t H e s e t o o l s
  job	involves	assessing	target	                                                                                work in dePtH And conduct tHeir
  networks	and	systems	to	find	                     odology	for	penetration	and	ethical	hacking	across	
  security	vulnerabilities                          the	network,	evaluating	the	security	of	network	            test in A cAreful, ProfessionAl
•		 ystem	administrators,	technical	                services	and	the	operating	systems	behind	them.             mAnner.         tHis       course           exPlAins
  auditors,	professional	penetration	
  testers,	and	consultants	who	want	                Attendees	will	learn	how	to	perform	detailed	re-            tHe inner workings of numerous
  technical	depth	and	hands-on	                     connaissance,	learning	about	a	target’s	infrastruc-         tools And tHeir use in effective
  experience	with	penetration	
                                                    ture	by	mining	blogs,	search	engines,	and	social	           n e t w o r k P e n e t r At i o n t e s t i n g A n d
  testing	and	ethical	hacking	tools
•		 ecurity	personnel	from	
  S                                                 networking	sites.		We’ll	then	turn	our	attention	to	        etHicAl HAcking ProJects.                       wHen
  enterprises	required	to	comply	                   scanning,	experimenting	with	numerous	tools	in	
                                                                                                                teAcHing tHe clAss,               i   PA r t i c u l A r -
  with	the	PCI	DSS	Penetration	Test	                hands-on	exercises.		Our	exploitation	phase	will	
  requirements                                                                                                  ly e n J o y t H e n u m e r o u s H A n d s - o n
                                                    include	the	use	of	exploitation	frameworks,	stand-
                                                    alone	exploits,	and	other	valuable	tactics,	all	with	       e x e r c i s e s c u l m i n At e d w i t H A f i n A l
   Get GPEN Certified
                                                    hands-on	exercises	in	our	lab	environment.		The	            P e n - t e s t i n g e x t r AvA g A n z A l A B .

                                                    class	also	discusses	how	to	prepare	a	final	report	         -e d s k o u d i s
                                                    tailored	to	maximize	the	value	of	the	test	from	
                                                    both	a	management	and	technical	perspective.	The	
                                                    final	portion	of	the	class	includes	a	comprehensive	
                                                    hands-on	exercise	in	which	students	will	conduct	
                                                                                                                  “Ed Skoudis is the clearest,
                                                    a	penetration	test	against	a	hypothetical	target	
    Reinforce what you learned                      organization	following	all	of	the	steps.                        most concise hacking/
     in training and prove your
                                                    The	course	also	describes	the	limitations	of	pen-            penetration testing teacher
    skills and knowledge with a
          GPEN certification.                       etration	testing	techniques	and	other	practices	                    in the market!”
                              that	can	be	used	to	augment	penetration	testing	                  -roBert wAnger, trAnsunion
                                                    to	find	vulnerabilities	in	architecture,	policies,	and	
       LAPToP                                       processes.		We	address	how	penetration	testing	
      REqUIRED                                      should	be	integrated	as	a	piece	of	a	comprehen-                         sive	enterprise	information	security	program.	

58     SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008            To register for SANS NETWORK SECURITY 2008, visit
   “As an outsider, you never get to learn and understand how some penetration testing
                 companies work, but this course peels back those covers!”
                                                                    -moses HernAndez, BrowArd HeAltH

560.1 Planning, Scoping, and Recon*
Successful	professional	penetration	testers	and	ethical	hackers	must	carefully	prepare	their	projects,	
and	this	detailed	session	covers	the	strategies	and	tactics	for	doing	so	effectively.		We	cover	building	
a	penetration	testing	and	ethical	hacking	infrastructure	that	includes	the	appropriate	hardware,	
software,	network	infrastructure,	and	test	tools	arsenal,	with	specific	low-cost	recommendations.		This	
portion	of	the	course	also	describes	how	to	plan	the	specifics	of	a	test,	carefully	scoping	the	project	
and	defining	the	rules	of	engagement.		This course provides extensive details of penetration testing preparation
and methodology, which are immensely useful in meeting the Payment Card Industry (PCI) Data Security Standard (DSS)
Requirement 11.3 on penetration testing.                                                                                                             SANS Faculty Fellow
Topics: The Mindset of the Professional Pen Tester; Legal Issues; Reporting; Types of Penetration Tests and Ethical Hacking Projects; Detailed
        Recon; Mining Search Engine Results with Aura/Wikto/EvilAPI                                                                                  Ed Skoudis
                                                                                                                                                     Ed	is	the	author	of	SEC504:	
560.2 Scanning*                                                                                                                                      Hacker	Techniques,	Exploits,	
This	component	of	the	course	focuses	on	the	vital	task	of	scanning	a	target	environment,	creating	                                                   and	Incident	Handling,	SEC517:	
a	comprehensive	inventory	of	machines,	and	then	evaluating	those	systems	to	find	potential	
                                                                                                                                                     Cutting-Edge	Hacking	Tech-
vulnerabilities.		We’ll	look	at	some	of	the	most	useful	scanning	tools	freely	available	today,	
experimenting	with	them	in	our	hands-on	lab.		Because	vulnerability-scanning	tools	inevitably	give	us	                                               niques,	and	SEC560:	Network	
false	positives,	we’ll	also	look	at	techniques	for	false-positive	reduction	with	hands-on	exercises.                                                 Penetration	Testing	and	Ethical	
Topics: Overall Scanning Tips; tcpdump for the Pen Tester; Protocol Anomalies; The Nmap Scripting Engine; Version Scanning with Nmap and             Hacking,	and	teaches	on	a	
        Amap; False Positive Reduction                                                                                                               regular	basis.		Ed’s	expertise	
560.3 Exploitation*                                                                                                                                  includes	hacker	attacks	and	
In	this	section	we	look	at	the	many	kinds	of	exploits	that	a	penetration	tester	or	ethical	hacker	can	use	                                           defenses,	the	information	
to	compromise	a	target	machine.		We’ll	analyze	in	detail	the	differences	between	server-side,	client-                                                security	industry,	and	computer	
side,	and	local	privilege	escalation	exploits,	exploring	some	of	the	most	useful	recent	exploits	in	each	                                            privacy	issues.		He	has	performed	
category.		We’ll	see	how	these	exploits	are	packaged	in	frameworks	like	Metasploit	and	its	mighty	                                                   numerous	security	assessments,	
Meterpreter.		We’ll	also	look	at	post-exploit	analysis	of	machines	and	pivoting	to	find	new	targets.
                                                                                                                                                     provided	detailed	expert	witness	
Topics: Comprehensive Metasploit Framework Coverage with Exploits/Stagers/Stages; Bypassing the Shell vs. Terminal Dilemma; Installing
        VNC/RDP/SSH with Only Shell Access; Running Windows Commands Remotely with sc and wmic; Building Port Scanners and Password                  services	in	cases	involving	major	
        Guessers at the Command Line                                                                                                                 credit	card	theft,	and	responded	
560.4 Password Attacks*                                                                                                                              to	computer	attacks	for	clients	
                                                                                                                                                     in	the	financial,	high	technology,	
This	component	of	the	course	turns	our	attention	to	password	attacks,	analyzing	password	guessing,	pass-
word	cracking,	and	pass-the-hash	techniques	in	depth.		We’ll	go	over	numerous	tips	based	on	real-world	                                              healthcare,	and	other	industries.		
experience	to	help	penetration	testers	and	ethical	hackers	maximize	the	effectiveness	of	their	password	                                             Ed	conducted	a	demonstration	of	
attacks	with	some	of	the	most	powerful	attack	tools	available	today	for	gaining	access	to	machines.                                                  hacker	techniques	against	finan-
Topics: Pass-the-Hash Attacks Using Modified SMB Client Software; Patching John the Ripper to Squeeze Out Maximum Performance; Rainbow               cial	institutions	for	the	United	
        Tables Hands-on and In-depth; Cain – The Pen Tester’s Dream Tool
                                                                                                                                                     States	Senate	and	is	a	frequent	
560.5 Wireless and Web Apps*                                                                                                                         speaker	on	issues	associated	
This	section	of	the	course	describes	methodologies	for	finding	common	wireless	weaknesses,	including	                                                with	hacker	tools	and	defenses.		
misconfigured	access	points,	application	of	weak	security	protocols,	and	the	improper	configuration	of	                                              He	has	published	several	articles	
stronger	security	technologies.		The	second	half	of	this	session	focuses	on	Web	application	penetration	
                                                                                                                                                     on	these	topics,	as	well	as	the	
testing,	looking	for	the	numerous	flaws	that	impact	commercial	and	homegrown	Web	apps.		Attendees	
will	work	hands-on	with	tools	that	can	find	Cross-Site	Scripting	(XSS),	Cross-Site	Request	Forgery	(XSRF),	                                          books	Counter Hack Reloaded	and	
command	injection,	and	SQL	injection	flaws,	experimenting	with	each	in	several	hands-on	exercises.                                                   Malware: Fighting Malicious Code.		
Topics: Wireless Attacks; Discovering Access Points (Wire-Side and Wireless-Side); Wireless Crypto Flaws; Client-Side Wireless Attacks; Cross-Site   Ed	was	also	awarded	2004,	2005,	
        Scripting; Cross-Site Request Forgery; SQL Injection; Leveraging SQL Injection to Perform Command Injection
                                                                                                                                                     and	2006	Microsoft	MVP	awards	
560.6 Penetration Testing Workshop and Capture the Flag Event*                                                                                       for	Windows	Server	Security	and	
This	lively	session	represents	the	culmination	of	the	network	penetration	testing	and	ethical	hacking	                                               is	an	alumnus	of	the	Honeynet	
course,	where	attendees	will	apply	the	skills	that	they’ve	mastered	throughout	all	the	other	sessions	                                               Project.		Previous	to	Intelguard-
in	a	hands-on	workshop.		The	rest	of	the	course	covers	the	overall	process	for	successful	testing	with	                                              ians,	Ed	served	as	a	security	
a	series	of	hands-on	exercises	individually	illustrating	each	point.		But	in	this	final	workshop,	all	of	                                            consultant	with	International	
the	exercises	converge	into	an	overall	network	penetration-testing	workout,	where	attendees	will	
function	as	part	of	a	pen	test	team.                                                                                                                 Network	Services	(INS),	Predic-
Topics: Applying Penetration Testing and Ethical Hacking Practices End-to-end; Scanning; Exploitation; Pivoting; Analyzing Results                   tive	Systems,	Global	Integrity,	
                                                                                                                                                     SAIC,	and	Bell	Communications	
*This course is available to Security 560 participants only.
                                                                                                                                                     Research	(Bellcore).

Visit for more detailed course descriptions and additional information.                                   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   59
     Six-Day Program
 Mon, Sept 29 – Sat, oct 4, 2008                  Wireless technology fundamentally changes accepted
9:00am–5:00pm		•		6	CPE/Day                       security paradigms.
                                                  With	the	pervasive	deployment	of	wireless	
                                                  technology,	attackers	have	latched	on	with	so-
Who Should Attend                                 phisticated	and	effective	techniques	to	exploit	
                                                  wireless	systems	at	work,	at	home,	or	on	the	
•		 ecurity	professionals	who	are	
                                                  road.		Despite	the	significant	threats,	orga-
  concerned	about	the	weaknesses	
                                                  nizations	are	deploying	WiFi,	Bluetooth,	and	
  of	wireless	networks											
                                                  proprietary	wireless	technology	at	a	break-neck	
•		 enetration	testers	who	want	                  pace.		This	can	expose	internal	networks	and	cli-         AUTHoR STATEMENT
  to	include	wireless	network	                                                                              t He wireless security field continues to
                                                  ent	systems,	often	allowing	attackers	to	bypass	
  security	assessments	in	their	
                                                  intrusion	detection	systems	and	other	defenses.           Astound me on A regulAr BAsis . i n mAny
  organization’s	services	offerings
                                                                                                            cAses , wireless lAn security HAs imProved ,
                                                  To	be	a	wireless	security	expert,	you	need	to	have	
•		 uditors	who	must	evaluate	
                                                  a	comprehensive	understanding	of	the	technol-             tHAnks to strong Protocols sucH As wPA
  wireless	networks	to	ensure	
                                                  ogy,	the	threats,	the	exploits,	and	the	defense	          or wPA2. w Hile tHis is A significAnt Boon
  they	meet	an	acceptable	level	
  of	risk	and	are	compliant	with	                 techniques,	with	hands-on	experience	in	evaluat-          towArd HelPing secure wireless networks ,

  organizational	policy	                          ing	and	attacking	wireless	networks.		This	course	        it isn ’ t slowing down tHe AttAck commu -
                                                  takes	an	in-depth	look	at	these	fields,	exposing	         nity , wHicH is insteAd focusing on otHer
                                                  you	to	wireless	security	threats	through	the	eyes	        weAknesses , including vulnerABle clients ,
                                                  of	an	attacker.		
 Get GAWN Certified                                                                                         Broken   AutHenticAtion      strAtegies    And

                                                  Using	readily	available	and	custom-devel-                 network mAniPulAtion AttAcks .       in   Addi -
                                                  oped	tools,	you’ll	navigate	your	way	through	             tion , AttAckers Are Becoming more focused
                                                  the	techniques	attackers	use	to	exploit	WiFi	             on otHer wireless systems tHAt HAve Been
                                                  networks,	including	attacks	against	WEP,	WPA/             overlooked , including   B luetootH , cellulAr
                                                  WPA2,	PEAP,	TTLS,	and	other	systems.		We’ll	also	         tecHnology And ProPrietAry systems sucH
                                                  examine	the	commonly	overlooked	threats	
                                                                                                            As wireless keyBoArds .    w Hile   develoPing
                                                  associated	with	Bluetooth,	WiMAX,	and	propri-
                                                                                                            tHis course , it BecAme cleAr to me tHAt in
   Reinforce what you learned                     etary	wireless	systems.		With	the	SWAT	toolkit,	
                                                                                                            order to Be An exPert in tHe wireless se -
    in training and prove your                    we’ll	back	up	the	course	content	with	hands-on	
                                                                                                            curity field , you need to not only under -
   skills and knowledge with a                    labs	and	practical	exercises	designed	to	rein-
        GAWN certification.                                                                                 stAnd tHe tHreAts of todAy , But to Also
                                                  force	the	course	concepts.	
                                                                                      Be ABle to APPly tHe lessons leArned from
                                                  Through	the	use	of	assessment	and	analysis	tech-
                                                                                                            PAst wireless security Blunders .    in   order
                                                  niques,	this	course	will	show	you	how	to	identify	the	
                                                                                                            to HelP you Become A wireless security ex -
                                                  threats	that	expose	wireless	technology,	building	
                                                                                                            Pert ,i tAke every oPPortunity to teAcH you
                                                  on	this	knowledge	to	identify	defensive	techniques	
      LAPToP                                      that	can	be	used	to	protect	wireless	resources.           ABout tHe tHreAts of todAy , And How to

     REqUIRED                                                                                               criticAlly AnAlyze wireless systems to iden -                        THE SWAT TOOLKIT CONSISTS OF:
                                                                                                            tify tHe tHreAts of tomorrow . B y tHe end
       laptop/sec617.php                          • AirPcap TX USB adapter
                                                                                                            of tHis course , you will HAve tHe vAluABle
                                                  • GPS
                                                                                                            And in - demAnd skills necessAry to Assess
                                                  • Bluetooth USB adapter
                                                                                                            tHe security of wireless tecHnology , And
                                                   PREREqUISITE                                             to design And dePloy systems to Protect
                                                   Students should have a working knowledge                 your orgAnizAtion from wireless tHreAts !
                                                   of wireless networks with experience in the
                                                                                                            -J osHuA w rigHt
                                                   design or deployment of wireless technology.

60    SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008           To register for SANS NETWORK SECURITY 2008, visit
Hacking and Defending Wireless Networks After completing this course, students will be
prepared to evaluate and critique the security of wireless networks. Using auditing and penetration-testing
techniques, students will be able to demonstrate wireless security flaws and build a clear assessment of the risks
associated with a specific deployment. Using this information, students will be able to design a secure wireless
network that addresses the challenges of wireless technology.

617.1 Wireless Architecture and Analysis*
Students	will	identify	the	risks	associated	with	modern	wireless	deployments	as	well	as	the	characteristics	
of	physical	layer	radio	frequency	systems	including	802.11a/b/g	and	pre-802.11n	systems.		Students	will	
leverage	open-source	tools	for	analyzing	wireless	traffic	and	mapping	wireless	deployments.
Topics: Wireless	Signal	Exposure	Threats;	Identifying	Threats	in	Wireless	Networks;	RF	Signal	Propagation	and	
       Transmission	Characteristics;	RF	Antenna	Gain	Types	and	Concepts;	Physical	Layer	Coding	Mechanisms;	
       Leveraging	Tools	Including	Kismet,	Wireshark,	and	gpsmap	for	Network	Mapping	and	Identification

617.2 Hands On – Part 1: Wireless Security Exposed*                                                                                 Senior Instructor
Students	will	take	on	an	in-depth	treatise	on	the	IEEE	802.11	MAC	layer	and	operating	characteristics.		Using	
passive	and	active	assessment	techniques,	students	will	evaluate	deployment	and	implementation	weak-                                Dr. Johannes Ullrich, PhD
nesses,	auditing	against	common	implementation	requirements	including	PCI	and	the	Department	of	De-                                 As	Chief	Research	Officer	for	
fense	Directive	8100.2.		Security	threats	introduced	with	rogue	networks	will	be	examined	from	a	defensive	
and	penetration-testing	perspective.		Threats	present	in	wireless	hotspot	networks	will	also	be	examined,	                          the	SANS	Institute,	Johannes	
identifying	techniques	attackers	can	use	to	manipulate	guest	or	commercial	hotspot	environment.	                                    is	currently	responsible	for	
Topics: 	IEEE	802.11	Framing;	AP	Fingerprinting;	Kismet	Post-Processing	Analysis;	Assessing	Information	Disclosure	
       Threats;	Auditing	Wireless	Policy	Compliance;	Evading	WIDS	Systems	with	Custom	Rogue	APs;	“Free	Public	WiFi”	                the	SANS	Internet	Storm	
       and	Ad-Hoc	Networks;	Wireless	Device	Triangulation;	Webmail	Session	Hijacking;	Defensive	Measures	for	Guest	
                                                                                                                                    Center	(ISC)	and	the	GIAC	
       Network	Deployment
                                                                                                                                    Gold	program.		He	founded	
617.3 Hands On – Part 2: Wireless Security Exposed*                                                                       	in	2000,	which	
Students	will	continue	their	assessment	of	wireless	security	mechanisms	including	the	identification	
and	compromise	of	static	and	dynamic	WEP	networks	and	exploiting	weak	authentication	techniques	                                    is	now	the	data	collection	
including	the	Cisco	LEAP	protocol.		Next-generation	wireless	threats	will	be	assessed	including	attacks	
against	client	systems	including	network	impersonation	attacks	and	traffic	manipulation.		Students	will	
                                                                                                                                    engine	behind	the	ISC.		
evaluate	the	security	and	threats	associated	with	common	wireless	MAN	technology	including	proprietary	                             His	work	with	the	ISC	has	
and	standards-based	solutions.
                                                                                                                                    been	widely	recognized,	
Topics: 	Introduction	to	The	RC4	Cipher;	Understanding	Failures	in	WEP;	Leveraging	Advanced	Tools	to	Accelerate	
       WEP	Cracking;	Attacking	MS-CHAPv2	Authentication	Systems;	Attacker	Opportunities	When	Exploiting	Client	                     and	in	2004,	Network World	
       Systems;	Manipulating	Plaintext	Network	Traffic;	Attacking	the	Preferred	Network	List	on	Client	Devices;	Network	
       Impersonation	Attacks;	Risks	Associated	with	WMAN	Technology;	Assessing	WiMAX	Flaws                                          named	him	one	of	the	50	

617.4 Hands On – Part 3: Wireless Security Exposed*                                                                                 most	powerful	people	in	
The	evaluation	of	modern	wireless	encryption	and	authentication	systems	are	covered,	identifying	the	                               the	networking	industry.	
benefits	and	flaws	in	WPA/WPA2	networks	and	common	authentication	systems.		Upper-layer	encryption	                                 Prior	to	working	for	SANS,	
strategies	for	wireless	security	using	IPSec	are	evaluated,	with	in-depth	coverage	of	denial-of-service	
attacks	and	techniques                                                                                                              Johannes	worked	as	a	lead	
Topics: 	Threats	Associated	with	the	WPA/TKIP	Protocol;	Implementing	Offline	Wordlist	Attacks	Against	WPA/WPA2-PSK	                 support	engineer	for	a	Web	
       Networks;	Understanding	the	PEAP	Authentication	Exchange;	Exploiting	PEAP	Through	RADIUS	Impersonation;	
       Recommendations	for	Securing	Windows	XP	Supplicants;	Exploiting	Wireless	Firmware	for	DoS	Attack;	Wireless	                  development	company	
       Packet	Injection	and	Manipulation	Techniques;	VPN	Network	Fingerprinting	and	Analysis	Tools
                                                                                                                                    and	as	a	research	physicist.	
617.5 Hands On – Part 4: Wireless Security Exposed*                                                                                 Johannes	holds	a	PhD	in	
Advanced	wireless	testing	and	vulnerability	discovery	systems	will	be	covered	including	802.11	fuzzing	
techniques.		A	look	at	other	wireless	technology	including	proprietary	systems,	cellular	technology	and	                            Physics	from	SUNY	Albany	
an	in-depth	coverage	of	Bluetooth	risks	will	demonstrate	the	risks	associated	with	other	forms	of	wireless	                         and	is	located	in	Jacksonville,	
systems	and	the	impact	to	organizations.	
Topics: 	Wireless	Fuzzing	Tools	and	Techniques;	Vulnerability	Disclosure	Strategies;	Discovering	Unencrypted	Video	                 Florida.
       Transmitters;	Assessing	Proprietary	Wireless	Devices;	Traffic	Sniffing	in	GSM	Networks;	Attacking	SMS	Messages	
       and	Cellular	Calls;	Bluetooth	Authentication	and	Pairing	Exchange;	Attacking	Bluetooth	Devices;	Sniffing	
       Bluetooth	Networks;	Eavesdropping	on	Bluetooth	Headsets
                                                                                                                                        “This is a fantastic
617.6 Wireless Security Strategies and Implementation*                                                                                   course! Anyone
The	final	day	of	the	course	evaluates	strategies	and	techniques	for	protecting	wireless	systems.		Students	                               responsible for
will	examine	the	benefits	and	weaknesses	of	WLAN	IDS	systems	while	gaining	insight	into	the	design	and	
deployment	of	a	public	key	infrastructure	(PKI).		Students	will	also	examine	critical	secure	network	design	                             administering a
choices	including	the	selection	of	an	EAP	type,	selecting	an	encryption	strategies	and	the	management	of	
client	configuration	settings.
                                                                                                                                         wireless network
Topics: 	WLAN	IDS	Signature	and	Anomaly	Analysis	Techniques;	Understanding	PKI	Key	Management	Protocols;	                                should attend.”
       Deploying	a	Private	Certificate	Authority	on	Linux	and	Windows	Systems;	Configuring	Windows	IAS	for	Wireless	
       Authentication;	Configuring	Windows	XP	Wireless	Settings	in	Login	Scripts                                                             -JosHuA Brown,
*This course is available to Security 617 participants only.                                                                               fleisHmAn HillArd

Visit for more detailed course descriptions and additional information.                 SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008   61
Dear Colleagues and Friends,
For the third year in a row SANS Network Security 2008 is back in Las
                                                                            Five Reasons to Register
Vegas with more classes, night sessions, and events than ever before!       1. The best career move you will
With SANS stationed in the middle of the world famous Vegas strip,             ever make
you will find amazing attractions, shows, restaurants, and shopping            That’s how one SANS alumnus described the IT security
all within walking distance. This city has so much more to offer than          education and networking opportunities offered by
                         just gambling – come see for yourself!                SANS. Attending SANS NETWORK SECURITY 2008 is a
                         The training event will be held at Caesars            way of investing in your career. To reap the maximum
                         Palace ( which is               benefit, read the course descriptions carefully. Check
                         an attraction in itself! This property features       out the 20 five- and six-day courses plus a wide variety of
                         the Forum Shops with over 160 stores and 14
                                                                               one to four-day shorter courses.
                         restaurants along with two free special effect
                         shows each evening. During SANS Network            2. Why settle for second best?
Security 2008 the hotel has informed us that the Coliseum’s schedule           If you want to increase your understanding of information
includes performances by Cher ( and Elton John                    security and become more effective in your job, you need
( Each show features a Broadway-style career                to be trained by the best. “SANS provides by far the most
overview performance. The hotel also has various dining options
                                                                               in-depth security training with the true experts in the field
from high-end celebrity restaurants and all-you-can-eat buffets to the
                                                                               as instructors,” says Mark Smith, Costco Wholesale.
Market Street Grill, a food court that is quite popular for a quick bite!
Caesars Palace has the largest square footage of any hotel on the           3. Challenge yourself!
strip. Since it will take approximately 10 minutes alone to get                Consider attempting GIAC (Global Information Assurance
from the front door to your classroom, we highly recommend                     Certification), the industry’s most respected technical
staying inside the hotel. We also highly recommend you book                    security certification. GIAC is the only information security
early since most likely we will not be able to guarantee our                   certification for advanced technical subject areas, includ-
special group rate after the deadline. Most guest rooms at                     ing audit, intrusion detection, incident handling, firewalls
Caesars Palace are right next door to our classrooms, so you can
                                                                               and perimeter protection, forensics, hacker techniques,
avoid the long walk. If you stay in the Palace Tower you will enjoy a
                                                                               and Windows and Unix operating system security.
larger upgraded room, amazing views of Vegas, and you will be just
an elevator ride away from class! As an extra treat, you will receive       4. Become part of an elite group
complimentary high-speed Internet – but only if you book under the             We’re referring to the group of technical, security-savvy
special SANS group rate.                                                       professionals who have had hands-on training through
Even though it will be warm outside, you still want to bring a jacket          SANS. Material taught in the SANS courses directly applies
for the climate-controlled classrooms and cooler evenings. You will            to real-world challenges in your IT environment. “Six days
also want to check out the NS 2008 program guide for all of the                of training gave me six months of work to do,” says Steven
action-packed presentations, receptions, and events as well as the
                                                                               Marscovetra of Norinchukin Bank. “It is amazing how
social board for student gatherings around the city. Please feel free to
                                                                               much of the training I can apply immediately at work.”
send me an e-mail at for more recommendations of
things to do in Las Vegas.                                                  5. Don’t miss out on a good opportunity
Our goal is to ensure that you have the best possible time at                 This is your chance to make a great career move, be taught
SANS Network Security 2008!                                                   by the cream of the crop, challenge yourself, and become
                                                                              part of an elite group during a full week of IT security
Brian Correia                                                                 education and networking opportunities. Come prepared
Brian Correia                                                                 to learn; we will come prepared to teach. Visit
Director, Venue Planning & Business Development
                                                                     and register today!
62   SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008
  SANS Training Without Travel                                                                              Future Training Events
   Nothing beats the experience of attending a live SANS
  training event with incomparable instructors and guest
 speakers, vendor solutions expos, and myriad networking                             Find these top SANS courses at the following events.
 opportunities. Sometimes, though, travel costs and a week                           SEC560: Network Penetration Testing and Ethical Hacking
away from the office are just not feasible. When limited time                        SEC401: SANS Security Essentials Bootcamp Style
and/or budget keeps you or your co-workers grounded, you
                                                                                     SEC504: Hacker Techniques, Exploits, and Incident Handling
       can still get great SANS training close to home.
                                                                                     SEC508: Computer Forensics, Investigation, and Response
  Consider SANS’ Seven Ways to Train Without Travel                                  MGT512: SANS Security Leadership Essentials for Managers with
                                                                                             Knowledge Compression™
SANS OnSite Your Location - Your Schedule!                                           MGT414: SANS® +S™ Training Program for the CISSP® Cert Exam
With	the	SANS	OnSite	program	you	can	bring	a	combination	of	high-quality	
content	and	world-recognized	instructors	to	your	location	and	realize	               AUD507: Auditing Networks, Perimeters, and Systems
significant	savings.	For	organizations	that	need	to	train	a	large	number	of	
professionals,	the	SANS	OnSite	program	is	hard	to	beat!
                                                                                     SEC617: Hacking and Defending Wireless Networks
                                                                                     SEC502: Perimeter Protection In-Depth
SANS OnDemand                                                                        SEC503: Intrusion Detection In-Depth
Online Security Training & Assessments
When	you	want	access	to	SANS’	high	quality	training	‘anytime,	anywhere’,	
choose	our	advanced	online	delivery	method!		OnDemand	is	designed	to	
provide	a	very	convenient,	comprehensive,	and	highly	effective	means	for	                                        SANSFIRE 2008
information	security	professionals	to	receive	the	same	intensive,	immersion	                                 Washington DC • July 22-31
training	that	SANS	is	famous	for.		Students	will	receive:
•	Four	months	access	to	online	training                                                                                   SEC560    SEC508      SEC617
•	Integrated	lectures	by	SANS	top-rated	instructors                                                                       SEC401    MGT512      SEC502
•	Assessments	to	reinforce	your	knowledge	throughout	the	course                                                           SEC504    MGT414      SEC503
•	Hard	copy	of	course	books                                                                                                         AUD507
•	Access	to	our	SANS	Virtual	Mentor

                                                                                                            SANS Boston 2008
•	Labs	&	hands-on	exercises
•	Progress	Reports

SANS @Home Personal SANS Instruction at Home                                                                                          August 9-17
SANS	@Home	delivers	live	instruction	via	the	Web	using	various	Internet-
based	technologies.	Streaming	audio,	instant	messaging,	online	forums,	and	                                                    SEC560    SEC508
e-mail	are	all	leveraged	to	make	the	student’s	online	learning	experience	as	                                                  SEC401   MGT414
fun	and	engaging	as	possible.	                                                                                                      SEC617

SANS Mentor Intimate Informal Instruction
The	SANS	Mentor	program	offers	the	flexibility	of	online,	self-paced	learning	
along	with	hands-on	mentor-led	interaction	through	sessions	where	students	               SANS virginia Beach 2008
can	try	the	exercises,	discuss	the	material,	ask	and	answer	questions,	and	help	                                                    August 21-29
each	other	learn	and	prepare	for	certification.		Mentors	are	people	who	have	
earned	certification	with	honors.		If	one	of	your	employees	has	met	this	bar,	                                                 SEC560  SEC504
he	or	she	can	begin	leading	a	mentored	program.		By	using	in-house	mentors,	                                                   SEC401  SEC508
you	enable	the	teachers	and	students	to	discuss	sensitive	issues	that	they	                                                        MGT512
might	not	feel	comfortable	discussing	with	outsiders.

SANS Self Study
For	the	motivated	student	who	enjoys	working	independently	we	offer	
the	SANS	Self	Study	program.		Students	receive	SANS	course	books	(and	
                                                                                     SANS Audit & Compliance 2008
CDs	when	applicable)	and	online	access	to	MP3	files	of	SANS’	world-class	                                       Chicago • September 3-10
instructors	teaching	the	material.		Study	texts	and	listen	to	the	lectures	at	
your	own	convenience	and	pace!                                                                                                SEC560      AUD507
                                                                                                                              MGT512      MGT411
Community SANS Community Training Events
The	Community	SANS	format	offers	the	most	popular	SANS	courses	in	your	
local	community	in	a	small	classroom	setting	—	most	courses	have	fewer	
than	25	students.		The	instructors	are	pulled	from	the	best	of	our	SANS	Mentor	
program	and	are	trained	by	top-rated	SANS	instructors	like	Eric	Cole	and	Ed	
                                                                                                      SANS Monterey 2008
Skoudis.		The	course	material	is	delivered	over	a	six-day	period,	just	like	it	is	                                  october 31-November 7
at	a	larger	SANS	event,	and	you	receive	all	the	same	content,	audio	files,	and	
other	materials.		We	provide	continental	breakfast	each	day	and	a	light	lunch	                                                 SEC560     MGT512
on	3	of	the	6	days	to	encourage	networking	among	students	and	faculty.                                                         SEC401     MGT414
                                                                                                                               SEC508     AUD507
Partnership Series
The	SANS	Partnership	Series	is	an	outreach	program	created	to	provide	
deeply	discounted	training	to	support	constituencies	that	have:
  1.	A	clear	impact	on	national	security
  2.	Large	numbers	of	information	security	practitioners
                                                                                     Cyber Defense Initiative 2008
  3.	Budget	constraints	that	limit	access	to	necessary	training                                        Washington DC • December 10-17
The	secret	to	this	successful	program	is	cost	reduction	realized	by	delivering	                                           SEC560    SEC508      SEC617
the	courses	to	large	classes	(125	or	more).                                                                               SEC401    MGT512      SEC502
                                                                                                                          SEC504    MGT414      SEC503                                                                                        AUD507
                                                                                                                             Amtrak offers a 10% discount off the lowest
                                                                                                                             available rail fare to Las Vegas, NV, between
                                                                                                                             September 25, 2008 – October 9, 2008. To book
                                                                                                                             your reservation call Amtrak at 1 (800) 872-7245 or
                                                                                                                             contact your local travel agent.
                                                                                                                             Fare Code: X96Q-926
                                                                                                                             Avis is proud to offer special rates for SANS
        SANS NETWORK SECURITY 2008 will be located at                                                                        NETWORK SECURITY 2008. Make your reservations
                                                                                                                             now, and don’t forget to use your special discount
                   Caesars Palace                                                                                            code: J945620
                     3570	Las	Vegas	Blvd			•			Las	Vegas,	NV	89109	US	                                                       Parking is available in the parking garage on
                       Phone:	877-427-7243			•                                                             Frank Sinatra Drive. There is valet parking available
                                                                                                                             at the hotel as well as the Colosseum. ALL PARKING
                                         SPECIAL RATES                                                                       IS COMPLIMENTARY AT CAESARS PALACE.                                             Weather Conditions
                                                                                                                             Although Las Vegas is a city situated in a desert
 A special discount rate of $185 S/D will be honored based on space availability.
                                                                                                                             climate, the seasonal weather can actually vary.
  This rate includes high-speed Internet in your room. Make your reservations
                                                                                                                             Late September/early October temperatures
      now as this special rate is only available through September 5, 2008.
                                                                                                                             range from 46-85˚, with a mean of 65˚. Visitors
        You must mention that you are attending SANS NETWORK SECURITY 2008
                                                                                                                             are encouraged to plan for warm dry days with
                     to get the discounted rate including high-speed Internet.
                                                                                                                             dramatically cooler evenings. For a current forecast,
   The hotel will require a major credit card to guarantee your reservation. To cancel your reservation, you must notify
                                the hotel at least 7 days before your planned arrival date.                                  please check

How to Register                                                                                                    D I S CO U N T S
1. To register, go to                                          Register Early Discounts
Select your course or courses and indicate whether you plan to test
for GIAC certification. If the course is still open, the secure, online             $350 discount Register	&	pay	by	Wed,	August	20,	2008
registration server will accept your registration. Sold-out courses will            $250 discount Register	&	pay	by	Wed,	September	3,	2008
be removed from the online registration. We do not take registra-
tions by phone.                                                                     Group Discounts
2. Provide payment information.                                                     15% discount	if	12	or	more	people	from	the	same	
Even if you do not want to submit your payment information online,                  organization	register	at	the	same	time
still complete the online form! There is an option to submit credit
                                                                                    10% discount	if	8–11	people	from	the	same	organization	
card information for payment by fax OR phone once the online form                   register	at	the	same	time
is completed and you have your invoice number.
SANS ACCEPTS oNLY US and CANADIAN FEDERAL                                           5% discount	if	4–7	people	from	the	same	organization	
GovERNMENT PURCHASE oRDERS                                                          register	at	the	same	time	
If you normally use a PO and are not part of the federal government,                To obtain a group discount code for registration, complete the
please see our additional PO information on the tuition information                 discount code request form at
                                                                                   Frequently Asked questions
3. Print Your Invoice.                                                             Frequently asked questions about SANS Training and GIAC Certification - the industry standard
You must print YOUR OWN INVOICE at the end of the online registra-                 for security knowledge – are posted at
tion process if you need one. The invoice will pop up automatically
                                                                                   Cancellation Deadline: Wednesday, September 10, 2008
when the registration is successfully submitted. You may also access
your invoice at                                   You may substitute another person in your place at any time by sending an e-mail to
                                                                          or faxing to 301-951-0140. There is a $300 cancellation fee per
4. E-mail confirmation will arrive soon                                            registration. Cancellation requests must be received by Wednesday, September 10, 2008, by fax
   after you register.                                                             or mail-in order to receive a refund.
64      SANS NETWORK SECURITY 2008 Las Vegas, NV Sept 28 – Oct 6, 2008
       SANS NETWORK SECURITY 2008 Registration Form
                                      ONLINE REGISTRATION                                                                                                                                                      Follow These Three Easy Steps
                             Fax or mail this form ONLY if you do not have Internet access!                                                                                                                    1 Select Your Course(s)
                                                                                                                                                                            By     By    After
      AUD410                  IT Security Audit and Control Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $3,295
                                                                                                                                                                         8/20/08 9/3/08 9/3/08
                                                                                                                                                                                             $3,395   $3,645   2 Complete Identification and Payment Information
      AUD507                  Auditing Networks, Perimeters, and Systems  . . . . . . . . . . . . . . . . . . . . . . 3,395                                                                   3,495    3,745      Please print clearly. E-mail is used to confirm registration and notify you of updates.
      LEG523                  Legal Issues in Information Techology and Security . . . . . . . . . . . . . 2,795                                                                              2,895    3,145   First Name _____________________________________________________________
      MGT411                  SANS 17799/27001 Security and Audit Framework  . . . . . . . . . . . . . 3,395                                                                                  3,495    3,745
      MGT414                  SANS® +S™ Training Program for the CISSP® Cert . Exam  . . . . . 3,295                                                                                          3,395    3,645   Last Name _____________________________________________________________
      MGT504                  Hacking For Managers  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9,745                   9,845   10,095
      MGT512                  SANS Security Leadership Essentials for Managers  . . . . . . . . . . . . . . 4,850                                                                             4,950    5,200   Nickname for Badge (Optional) ____________________________________________
      MGT525                  Project Management and Effective Communications  . . . . . . . . . . 3,245                                                                                      3,345    3,595
      SEC301                  Intro to Information Security  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,895                              2,995    3,245   Job Title _______________________________________________________________
      SEC401                  SANS Security Essentials Bootcamp Style  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,445                                                          3,545    3,795
                                                                                                                                                                                                               Company ______________________________________________________________
      SEC501                  Advanced Security Essentials ++ - GIAC Enclave Defender  . 3,045                                                                                                3,145    3,395
      SEC502                  Perimeter Protection In-Depth  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,395                                    3,495    3,745   Address _______________________________________________________________
      SEC503                  Intrusion Detection In-Depth  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,395                                 3,495    3,745
      SEC504                  Hacker Techniques, Exploits, and Incident Handling  . . . . . . . . . . . . 3,495                                                                               3,595    3,845   Mailstop/Floor __________________________________________________________
      SEC505                  Securing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,395            3,495    3,745
      SEC506                  Securing Unix/Linux  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,195              3,295    3,545   City____________________________________________ State__________________
      SEC508                  Computer Forensics, Investigation, and Response  . . . . . . . . . . . . . . . 3,475                                                                            3,575    3,825
                                                                                                                                                                                                               Zip/Postal Code ________________________ Country_________________________
      SEC509                  Securing Oracle  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3,395    3,495    3,745
      SEC560                  Network Penetration Testing and Ethical Hacking  . . . . . . . . . . . . . . . 3,895                                                                            3,995    4,245   Student’s e-mail address __________________________________________________
      SEC610                  REM: Malware Analysis Tools and Techniques  . . . . . . . . . . . . . . . . . . . . . . 2,665                                                                   2,765    3,015
      SEC617                  Hacking and Defending Wireless Networks  . . . . . . . . . . . . . . . . . . . . . . . . . 3,570                                                                3,670    3,920   Phone ________________________________________________________________
           Add $499 for Proctored GIAC Certification Exam                                                                                                                                                      Men’s Polos M L XL XXL Women’s Polos S M L XL XXL
           Add $379 for OnDemand Training & Assessments Bundle                                                                                                                                                 Would you like to be included in the attendee list (check one)? Yes No
                                                                                                                                                        If taking a
Skill-Based Short Courses
  SEC304 Software Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A $ 499
                                                                                                                                                   5-6 day course
                                                                                                                                                                                              $ 499    $ 499
                                                                                                                                                                                                               3 Indicate Payment Method and Calculate Total
  SEC334 SANS Training for the CompTIA Security+ Cert . . . . . . . . . . . N/A 2,864                                                                                                         2,964    3,214     Check payable to “SANS Institute” noting “SANS NS2008 and the attendee name”
  SEC419 H Web Application Security Essentials . . . . . . . . . . . . . . . . . . . . . . . . 1,150 1,644                                                                                    1,744    1,994     on memo line
  MGT421H SANS Leadership and Management Competencies  . . . . 575 1,114                                                                                                                      1,214    1,464     Bank Transfer ________________________________________________________
  SEC427 H Browser Forensics  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A 499                                               499      499                  (Provide Bank Name Here)
  MGT431 Secure Web Services for Managers  . . . . . . . . . . . . . . . . . . . . . . . . . . 1,150 1,644                                                                                    1,744    1,894     Federal Government P.O. enclosed (U.S./Canada only)
  MGT432 Information Security for Business Executives  . . . . . . . . . . . . . .N/A 1,775                                                                                                   1,875    2,125     Visa     American Express      MasterCard       Diners    Discover
  SEC517 H Cutting-Edge Hacking Techniques  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 899                                                                                 999    1,249
  AUD521 H Meeting the Minimum: PCI/DSS 1 .1:  . . . . . . . . . . . . . . . . . . . . . . 1,150 1,644                                                                                        1,744    1,994   Card #____________________________________________ Expires ______ /______
  SEC522 Defending Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,725 2,695                                                                         2,795    3,045
  SEC526 H Next Evolution in Digital Forensics  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 899                                                                               999    1,249   Name on Card __________________________________________________________
  SEC531 H Windows Command-Line Kung Fu In-Depth  . . . . . . . . . . . . . . 575 899                                                                                                           999    1,249
  SEC536 Secure Coding for PCI Compliance  . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,150 1,644                                                                                  1,744    1,994   Signature______________________________________________________________
  SEC538 H Web Application Penetration Testing Fundamentals 1,150 1,644                                                                                                                       1,744    1,994   Billing Address (If different from identification information)
  SEC540 SANS VoIP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,150 1,744                                                   1,844    2,094
  SEC541 Secure Coding in Java/JEE: Developing Def . Apps . . . . . . . N/A 2,845                                                                                                             2,945    3,195   ______________________________________________________________________
  SEC542 Web Application Penetration Testing In-Depth  . . . . . . . . . . N/A 2,895                                                                                                          2,995    3,245
                                                                                                                                                                                                               Telephone    ___________________________________________________________
  SEC545 PHP Secure Coding  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,150 1,644                                                   1,744    1,994
  SEC546 IPv6 Essentials  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 899                                         999    1,249   TOTAL AMOUNT FROM TABLE OF FEES                         $__________________________
  SEC550 H Power Search with Google  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A 499                                                                  499      499
  SEC553 H Up and Running with the Metasploit Framework  . . . . . . 575 899                                                                                                                    999    1,249   Group Discounts for Training Program
  SEC556 Comprehensive Packet Analysis  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 899                                                                               999    1,249   4+ from the same organization, same day registration          =            5%
  SEC601 REM: The Essentials of Malware Analysis . . . . . . . . . . . . . . . . . . . . . N/A 1,644                                                                                          1,744    1,994
                                                                                                                                                                                                               8+ from the same organization, same day registration          =            10%
  SEC602 REM: Additional Tools and Techniques  . . . . . . . . . . . . . . . . . . . . . . . . N/A 1,644                                                                                      1,744    1,994
  SEC609 Security Research  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,150 1,644                                               1,744    1,994   12+ from the same organization, same day registration         =            15%
  HOSTED DIACAP  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N/A 3,045                        3,145    3,395   Discounts DO NOT apply towards the $499 GIAC Certification fee. Only one
  HOSTED Macintosh Forensic Survival Course . . . . . . . . . . . . . . . . . . . . . . . . . N/A 3,400                                                                                       3,500    3,750   discount may be used per customer per registration/order. Discounts may not
  HOSTED Mobile Phone Forensics Survival Course  . . . . . . . . . . . . . . . . . N/A 3,400                                                                                                  3,500    3,750   overlap. If you are eligible for more than one discount, we will apply the discount
 H Price includes STAR (Skills Test and Report)                                                                                                                                                                of the largest percentage.
Individual Courses Available                                                                                                                                                                                   Discount of _______ for _______ people                 $___________________________
                                THU/24                         FRI/25                          SAT/26                         SUN/27                         MON/28                          TUE/29
AUD410         410 .1    410 .2       410 .3       410 .4     410 .5     410 .6                                                                                                                                Total for Course Proceedings                           $___________________________
LEG523         523 .1    523 .2       523 .3       523 .4     523 .5
MGT411         411 .1    411 .2       411 .3       411 .4     411 .5     411 .6                                                                                                                                TOTAL REGISTRATION AMOUNT                              $___________________________
MGT414         414 .1    414 .2       414 .3       414 .4     414 .5     414 .6
SEC301         301 .1    301 .2       301 .3       301 .4     301 .5
SEC401         401 .1    401 .2       401 .3       401 .4     401 .5     401 .6
SEC501         501 .1    501 .2       501 .3       501 .4     501 .5     501 .6                                                                                                                                Continuing Education CISSP #
SEC502         502 .1    502 .2       502 .3       502 .4     502 .5     502 .6
               503 .1
                                                                                                                                                                                                                                                                                                        Use Brochure Code

SEC504         504 .1
SEC505         505 .1    505 .2       505 .3       505 .4     505 .5     505 .6                                                                                                                                FULL PAYMENT MUST ACCOMPANY REGISTRATION FORM!
SEC506         506 .1    506 .2       506 .3       506 .4     506 .5     506 .6                                                                                                                                Mail this form to: SANS
                                                                                                                                                                                                                                  8120 Woodmont Avenue, Suite 205
Individual Course Day Rates If Not Taking a Full Course - DO NOT INCLUDE STAR                                                                                                                                                     Bethesda, Maryland 20814
1 Day of Courses ............................................................................................... $914 $1,014 $1,164
2 Days of Courses ............................................................................................ 1,664 1,764 1,914                                                                               SANS Federal ID# is 52-1935637
3 Days of Courses ............................................................................................ 2,414 2,514 2,664
4 Days of Courses ............................................................................................ 2,864 2,964 3,114                                                                                Questions? Call 301-654-SANS(7267) 9:00 am - 8:00 pm (Mon-Fri) Eastern Time
5 Days of Courses ............................................................................................ 3,264 3,364 3,514                                                                                If you do not have Internet access, fax this registration form to 301-951-0140.
6 Days of Courses ............................................................................................ 3,614 3,714 3,864                                                                                By faxing this form, you automatically agree to SANS policies:
7 Days of Courses ............................................................................................ 3,914 4,014 4,164                                                                      
8 Days of Courses ............................................................................................ 4,214 4,314 4,464