Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

SANS SEC401 – Security Essentials

Everybody should have a good foundation to build from. After all, there’s no point in building a tower of knowledge, just to find that the foundations can’t hold it up. SANS Security Essentials is a great course to provide that foundation.

One of the things I love to hear from students after teaching Security 401 is “I have worked in security for many years and after taking this course I realized how much I did not know.” With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After attending Security 401, I am confident you will walk away with solutions to problems you have had for a while plus solutions to problems you did not even know you had.
– Eric Cole

Dr. Eric Cole on YouTube — Introducing Security Essentials

This class covers a lot of ground. I know the average SANS class is packed with juicy knowledge and tasty technical goodness, but the 401 class really crams it in. 11-12 Hours a day, and 6 days long. It’s not any easy task to take in everything, but Dr. Eric Cole is a great instructor, and really helps make things clear. As you’d expect from a class of this type, the content is wide-spreading and not as in-depth as some of the other SANS courses. Then again, this is what you’d expects from a course of this type. There’s no point in building a good foundation in 3 areas of the security landscape and skipping the rest. The 401 class covers the areas you need to know about without going too in-depth in any one thing. There’s plenty here for you to think about and it certainly gives you an idea of where your weak points are, and how to fill them in.

Day 1 – Networking Concepts

It’s hard to protect your network without knowing whats really going on on the wire. The first day of the 401 class was dedicated to understanding the fundamentals of networking, from the cable up. The information covered is just enough to really understand whats going on, without having to be a packet-monkey, or expert in routing protocols. Sure, there’s some exercises on decoding IP/TCP headers with pen and paper, but nothing that complex. As long as you can add up that is. It’s not rocket science after all 😉 Day 1 concluded with some virtualization and physical security modules. It was nice to see the physical security aspects covered where so many classes tend to skip over the topic.

Day 2 – Defense In-Depth

I’m a big fan of defense in-depth, and always try to drum it into clients when testing systems. After all, a single piece of equipment that stops all attacks is only good until you can find a bypass for it. When that happens, you’re completely exposed, unless you’re layering your defenses. Eric covered a lot of ground here in day 2. Malware, worms and trojans, alongside policy, password security and web-application attacks and defense. Again there’s just enough here to understand the basics without confusing people who’ve started the class with a clean slate. If you’re an old hand, there’s still information here to be had. Even though I’ve been through the 560, 542 and 709 classes, there still points that make me sit up and pay attention. Nobody knows everything after all.

Day 3 – Internet Security Technologies

Day 3 kicked off with discussion of attacks and hardening of systems. Coverage of IDS/IPS/HIDS and some great hints and tips about maximizing your firewall protection and layout. Even though most people know what a firewall does and how it works, people rarely consider the pros and cons of multiple firewalls, positioning and using packet, stateful and proxy filters to maximize the protection without overloading the systems. Discussion of signature based protections vs. Anomaly analysis (including the method of using clipping levels to improve identification of possibly suspicious traffic/behaviour). To give the students a hands-on experience with IDS, a short module on Snort (including writing a simple Snort rule) is included as the 3rd day draws to a close.

Day 4 – Secure Communications

After finishing up the risk analysis module from Day 3, we moved quickly into one of the sections of the class I was really looking forward to, encryption. Eric took the class from basics of cryptography (ROT-13, Caesar Cipher) through to a surprisingly easy to understand diagram on how Diffie-Hellmen Key Exchange really works. There was good coverage of data protection in-transit, at rest and the key points of key management issues. Moving away from cryptography toward mobile and wireless, we covered a range of different connection solutions. In particular, Bluetooth, 802.11, and ZigBee were covered in-depth. It was good to see the newer technologies such as ZigBee discussed even in the essentials class. To bring it home for day 4 we talked about VoIP and the increasing convergence of technology within the enterprise.

Day 5 – Windows Security

As with the other days, we kicked off day 4 with the final module of the previous day. In this case we talked about OPSEC (Operations Security). OPSEC is taking a step back from the technical and making sure that the appropriate risks are being addresses. It’s all about the Big Picture and protection of company information. Tracking and finding your companies weaknesses can also give you an idea where your competitors may have fallen short. To kickoff the Windows section of the class, we covered the basics of Windows Access Controls, patching and hot fixes, as well as the all important backup/restore of critical data. Of course no Windows security class would be complete without the extensive coverage of access permissions, rights and controls.

To tie in with the previous cryptography discussions we talked about EFS and Bitlocker and the pros/cons of using TPM (with USB token, PIN) to enforce boot integrity. Naturally we spent time looking at the technical side of security policies (GPOs, Security templates, …) and the issue of dealing with extensive security policies in large-scale Windows environments.  Finishing up we covered automation when it comes to securing and maintaining security of systems. It’s interesting to see Microsoft’s move to more command line based solutions. Give it another 10 -15 years and it’ll be just as good as Linux at the command line 😉

Day 6 – Linux Security

Kicking things off for the last day, Eric went over the key differences and histories that make Linux and Windows such polar opposites. As you can imagine, a large part of the time today was spent discussing the intricacies of the*nix permissions system (including SUID, GUID and sticky bits). It was interesting to cover the usage of groups and the ability to assign passwords to specific groups using gpasswd. It was also good to get a quick overview of how PAM fits into the overall Linux authentication and user account management. pam_cracklib and pam_unix are something I’ll definitely be looking at more in the future. Finally I really get the permission system used in Linux. All it takes sometimes, is a simple down to earth explanation.

Jumping from permissions, we did a quick overview of the boot processes, run-levels and services. It’s great to hear little tips and tricks from people who work with this stuff on a daily basis. Things like the RC scripts. Newer systems (anything in the last 5 years) can handle 2 startup files with the same number (i.e. S08service and S08service2). Older systems would only run 1 of the services, and ignore the other. Certainly an important note when working on older *nix systems.

In the logging and monitoring section we covered a number of interesting log files. Of special interest to me (as a penetration tester), was the /var/run/btmp log file. If this file is present on a system, it contains information on failed logon attempts, with the attempted password listed in plaintext. Obviously this could be a great source of information if a user mis-types their password. At the very least, it’s a starting point for a brute-force of that account. At best, you have the users password and can start guessing what they mis-typed. As you’d expect a range of logging and centralised log management was discussed. After all, no talk on *nix logging would be complete without mentioning SYSLOG and SYSLOG-NG.

Winding up the class we touched on *nix patch management and enhancing the security of Linux. As you’d expect, we spent some time discussing APT and RPM based patching solutions, before moving into IPTables, TripWire and Bastille Linux.

It’s been an exhausting 6 days… but I feel like I’ve filled in a few gaps in my knowledge. I’ve especially enjoyed working with Dr Eric Cole and hearing about his take on various topics. Eric has a lot of knowledge to bring to the table, and I hope to attend another of his classes in the future.


There’s far too much information crammed into this class to really write about every topic covered. Then again, that’s not the point of this review. I’ve covered the key points we discussed, and hope it gives a good overview for people looking at taking this class in the future. I would say however, that SANS updates the classes on a regular basis. So your mileage may vary 😉

I stand by my earlier comments that the security essentials class gives a good foundation. However, I would append a small note. If you’re already an experienced InfoSec person, then there will be times when you’re required to review things you already know. This isn’t a bad thing, as there’s always a few points that are worth reviewing, or described from a different standpoint. When looking purely at the content of the course and the method/style of delivery, I would highly recommend this class as the place to start when it comes to moving into InfoSec. The broad level of knowledge is both theoretical and technical, yet not too in-depth too get sidetracked into a single topic for too long. If you’re already working in InfoSec, then checkout the assessment test below to see what your level of knowledge is.

If you want to test yourself and see where the gaps in your knowledge are, you can use the SANS Security Essentials assessment Test to see how you score.

%d bloggers like this: