from a single SANS Account and centrally administer its training. Based on the ... and Incident Response, Industrial Con
“I hold three GIAC certifications, have attended multiple classes, and nothing prepares me to do my job better than SANS Online Training.” —Rick Whitmore, University of Kansas
SANS ONLINE TRAINING
ONDEMAND E-learning Available Anytime, Anywhere, at Your Own Pace Pages 2-3
vLIVE Live Online Training from Your Own Home or Office Pages 4-5
SIMULCAST Attend a SANS Training Event Without Leaving Home Page 6
SELFSTUDY Self-Paced Training for the Disciplined InfoSec Student Page 7
The SANS Institute is the most trusted training provider for information security professionals around the world. SANS provides live training (from small groups to multicourse training events), online training (from self-paced to instructor-led), certification, education, and free community resources. This training guide and the enclosed IT Security Training Roadmap will help you plan your education and accelerate your career! The roadmap pullout contains all of the course, certification, and career information you need to chart a course to success in Cyber Defense, Penetration Testing, Digital Forensics and Incident Response, or another information security field. You’ll find the roadmap between pages 8 and 9.
Also in this catalog:
Pages
SANS Upcoming Live Events Cyber Defense Penetration Testing Digital Forensics Software Security Audit, Management, Legal
9 10 - 11 12 - 13 14 - 15 16 16
- www.sans.org -
1
sans.org/ondemand
Reasons to Choose SANS OnDemand Four Months of Access to Comprehensive Online Training, Virtual Labs and Quizzes Access to Highly Qualified Subject-Matter-Experts Web-Based Training Accessible 24/7 from Your Desktop, Laptop, iPad, or Android Tablet Taught by SANS’ Top Instructors, Including Rob Lee, Ed Skoudis and Steve Sims No Travel or Time Away from the Office Includes Video Labs and Hands-On Exercises Complete Set of Books and Course Media Course Progress Reports Over 30 Courses Available – Anytime, Anywhere Supplemental Preparation Tool for the GIAC Exam
OnDemand Train Anytime, Anywhere, At Your Own Pace If you’re a self-motivated learner who prefers a flexible training schedule, then SANS OnDemand is the right learning platform for you. Choose from more than 30 courses, and take them whenever and wherever you want. Each course gives you four months of access to our OnDemand computer-based training platform, which includes a mix of presentation slides, video demonstrations, quizzes, virtual labs, and audio of SANS’ top instructors teaching the material. The SANS OnDemand Platform offers numerous features and benefits that make it the best cybersecurity training available. Here are two of them: Online Chat Support – SANS subject-matter experts are available for real-time assistance and can answer most questions no matter how complex. Pause, rewind, and playback speed options – One unique feature of our online training platforms is the ability to control the pace of your learning. You have the ability to pause for a break, rewind to revisit previous content again and again, or adjust the speed of the presentation to speed up or slow down the pace of every lesson.
See the current SANS Online Training special offer at www.sans.org/online-security-training/specials to get started today.
“I love the OnDemand option. With family and work schedules, OnDemand was the only way I could finish the course. I also really enjoyed listening to the class.” FRED LEEZER, CARDINAL HEALTH
2
FOR MORE INFORMATION, CONTACT US:
[email protected] 301-654-SANS (7267) sans.org/ondemand
OnDemand Courses CYBER DEFENSE AND PENETRATION TESTING: SEC301: Intro to Information Security SEC401: Security Essentials Bootcamp Style SEC501: Advanced Security Essentials - Enterprise Defender SEC503: Intrusion Detection In-Depth SEC504: Hacker Tools, Techniques, Exploits and Incident Handling SEC505: Securing Windows and PowerShell Automation SEC506: Securing Linux/Unix SEC511: Continuous Monitoring and Security Operations SEC542: Web App Penetration Testing and Ethical Hacking SEC560: Network Penetration Testing and Ethical Hacking SEC566: Implementing and Auditing the Critical Security Controls - In-Depth SEC575: Mobile Device Security and Ethical Hacking SEC579: Virtualization and Private Cloud Security SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking DIGITAL FORENSICS & INCIDENT RESPONSE: FOR408: Windows Forensic Analysis FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting FOR518: Mac Forensic Analysis FOR572: Advanced Network Forensics and Analysis FOR578: Cyber Threat Intelligence FOR585: Advanced Smartphone Forensics FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques SECURITY MANAGEMENT: MGT414: SANS Training Program for CISSP® Certification MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression™ MGT514: IT Security Strategic Planning, Policy and Leadership SOFTWARE SECURITY: DEV522: Defending Web Applications Security Essentials DEV541: Secure Coding in Java/JEE: Developing Defensible Applications DEV544: Secure Coding in .NET: Developing Defensible Applications IT AUDIT: AUD507: Auditing and Monitoring Networks, Perimeters and Systems LEGAL SECURITY: LEG523: Law of Data Security and Investigations INDUSTRIAL CONTROL SYSTEMS: ICS410: ICS/SCADA Security Essentials ICS515: ICS Active Defense and Incident Response Course offerings are subject to change, please visit www.sans.org/online-security-training for regularly updated information.
- www.sans.org -
3
sans.org/vlive
Reasons to Choose SANS vLive Live Evening Courses Taken from the Convenience of Your Home or Office Access to Highly Qualified Subject-Matter-Experts Six Months of Online Course Access Meet Twice per Week for Six Weeks Course Content Authored by Instructors Labs, Hands-On Exercises and Archived Lectures Complete Set of Books and Course Media
“Overall, I am much happier with the Web-based live training as there is (a) no travel required, (b) no travel budget required, and (c) some ‘soak time’ between modules (as well as time to complete the exercises before the next session). It’s still a bit of a fire hose to drink from, but I would heartily recommend this format.” —BILL STACKPOLE, ROCHESTER INSTITUTE OF TECHNOLOGY
4
vLive Live Online Training from Your Own Home or Office vLive courses from SANS Institute are taken via online classrooms that typically meet two evenings per week for six weeks and are taught by SANS’ top instructors. They feature challenging labs and exercises that develop skills, help reinforce concepts, and are supported by subject-matter-experts. Simply log in at the scheduled times and join your instructor and classmates in an interactive virtual classroom. Don’t worry if you can’t attend every live session; classes are recorded and you can review the class archives for six months. Taking a vLive course and being a part of an interactive virtual classroom offers you numerous advantages. You’ll not only be able to interact with your peers and have access to SANS subject-matter-experts, just as importantly you’ll benefit from direct, real-time interaction with our world-class instructors throughout your course.
See the current SANS Online Training special offer at www.sans.org/online-security-training/specials to get started today.
NEW IMAGE HERE FOR MORE INFORMATION, CONTACT US:
[email protected] 301-654-SANS (7267) sans.org/vlive
vLive Courses
2016 COURSE SCHEDULE: Nov 1, 2016 - Dec 8, 2016:
SEC504: Hacker Tools, Techniques, Exploits and Incident Handling
Nov 7, 2016 - Dec 14, 2016:
MGT414: SANS Training Program for CISSP® Certification
Nov 8, 2016 - Dec 15, 2016:
FOR572: Advanced Network Forensics and Analysis
Dec 5, 2016 - Jan 25, 2017:
SEC542: Web App Penetration Testing and Ethical Hacking
Dec 6, 2016 - Jan 26, 2017:
SEC560: Network Penetration Testing and Ethical Hacking
Dec 13, 2016 - Feb 2, 2017:
SEC401: Security Essentials Bootcamp Style
2017 COURSE SCHEDULE: The following courses will be available throughout 2017 (go to www.sans.org/vlive/courses for an up-to-date schedule): SEC301: Intro to Information Security SEC401: Security Essentials Bootcamp Style SEC501: Advanced Security Essentials - Enterprise Defender SEC503: Intrusion Detection In-Depth SEC504: Hacker Tools, Techniques, Exploits and Incident Handling SEC511: Continuous Monitoring and Security Operations SEC542: Web App Penetration Testing and Ethical Hacking SEC560: Network Penetration Testing and Ethical Hacking FOR408: Windows Forensic Analysis FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting FOR572: Advanced Network Forensics and Analysis FOR578: Cyber Threat Intelligence FOR585: Advanced Smartphone Forensics FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques MGT414: SANS Training Program for CISSP® Certification MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression™ Course offerings are subject to change, please visit www.sans.org/online-security-training for regularly updated information.
- www.sans.org -
5
sans.org/simulcast
Reasons to Choose SANS Simulcast Live Daytime Courses Taken from the Convenience of Your Home or Office Four Months of Online Course Access Complete a Course in One Week Course Content Authored by Instructors Labs, Hands-On Exercises and Archived Lectures Highly Qualified SubjectMatter-Expert Support Complete Set of Books and Course Media No Travel Required
Simulcast Attend a SANS Training Event Without Leaving Home Simulcast training from the SANS Institute gives you the opportunity to attend a one-week live training event from your own home or office via virtual classroom technology. Complete a SANS course quickly from anywhere in the world while still learning from top SANS instructors and a classroom of peers. There are many reasons why SANS students love taking their courses through the Simulcast Platform. Through Simulcast, you receive a real-time live stream of your instructor, and real time interaction with the moderator, peers, and the SubjectMatter-Experts. It is a great SANS learning experience without the travel time and costs, and Simulcast students have the same learning outcomes as other training modalities, indicating that Simulcast students retain the knowledge learned as if they were actually in the classroom. Live from SANS Pen Test HackFest 2016 Nov 4 - 9, 2016:
SEC560: Network Penetration Testing and Ethical Hacking
Live from SANS Cyber Defense Initiative 2016 Dec 12 - 17, 2016: FOR408: Windows Forensic Analysis Dec 12 - 17, 2016: SEC504: Hacker Tools, Techniques, Exploits and Incident Handling Dec 12 - 17, 2016: SEC511: Continuous Monitoring and Security Operations Dec 12 - 17, 2016: FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting Additional Simulcast courses will be available from these 2017 events:
SANS 2017 Orlando, FL - April 7-14, 2017 www.sans.org/event/sans-2017
SANS Security West 2017
“I’m at home taking the online Simulcast class but I feel like I’m there in the room. I don’t feel isolated at all. I just have access to my comforts while taking the class.”
San Diego, CA - May 11-18, 2017 https://www.sans.org/event/sans-security-west-2017
— Deona Vastine, State of California
SANSFIRE
SANS Rocky Mountain Denver, CO - Jun 12-17, 2017 https://www.sans.org/event/rocky-mountain-2017
Washington, D.C. - Jul 24-29, 2017 There will be numerous additional Simulcast opportunities throughout 2017 – please check www.sans.org/simulcast/courses for an up-to-date schedule of Simulcast courses.
6
SelfStudy SelfStudy is self-paced training for the motivated and disciplined InfoSec student. Most SANS Cyber Defense, Penetration Testing, Digital Forensics and Incident Response, Industrial Control Systems, Developer, Audit and Legal courses are available for completion via SANS SelfStudy. For more information, visit www.sans.org/selfstudy.
$
SANS Voucher Program
The SANS Voucher Program allows an organization to manage its training budget from a single SANS Account and centrally administer its training. Based on the amount of the training investment, an organization could be eligible to receive bonus funds. The investment and bonus funds can be used to register for any SANS course, including all OnDemand, Simulcast, or vLive courses, and for GIAC certification attempts and exams. If your organization already has a SANS Voucher account, contact your administrator today and start your course tomorrow! For more information about the SANS Voucher Program, visit www.sans.org/vouchers. Please Note: Due to the pre-negotiated discounts offered by SANS Voucher Programs, they cannot be combined with any other promotions.
Host a Private Simulcast for Your Organization SANS has the ability to stream a private Simulcast to meet the needs of your organization’s distributed workforce. A SANS instructor will teach a course to your live employee audience and remote students will attend the exact same session as your live students in real-time via Simulcast technology in a virtual classroom. Remote students participate in labs, ask questions through the moderator and interact with Subject Matter Experts via the Simulcast interface. All students also receive 4 months of access to the recorded archives. For more information about SANS Private Simulcast training opportunities, visit www.sans.org/simulcast/private-training or contact us at
[email protected]
- www.sans.org -
7
ABOUT SANS
SANS Live and Online Training More than 55 information security courses are taught around the world and online by an unparalleled faculty of industry leaders. www.sans.org
GIAC 30 cybersecurity certifications are available, in cyber defense, penetration testing, digital forensics, ICS/SCADA and more. www.giac.org
SANS Technology Institute Accredited graduate programs and graduate certificates in information security completed via SANS training. www.sans.edu
Securing The Human Employee security awareness program applicable to every organization. securingthehuman.sans.org
SANS Institute is the largest provider of information security training and education in the world. Since 1989, SANS has trained more than 140,000 cybersecurity professionals and delivered free news, research and resources to thousands more. SANS programs and services also include private training options, free webcasts and blogs, the CyberTalent applicant assessment
Internet Storm Center Moment-by-moment intrusion detection news for the world’s cyber defense community. isc.sans.edu
program, and the VetSuccess and Women’s Academy talent pool programs.
NetWars A suite of live and online, hands-on, interactive scenario challenges to help you master a wide range of skills. www.sans.org/netwars
E X P E R I E N C E
DFIR NetWars
T
O
U
R
N
8
A
M
E
N
T
An incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help students gain proficiency without the risk associated when working real-life incidents. www.sans.org/netwars/dfir-tournament
Learn more about SANS Institute at:
www.sans.org
Upcoming Live Events SANS Cyber Defense Initiative 2016 Washington, DC • December 10-17, 2016 www.sans.org/event/cyber-defense-initiative-2016
Live Simulcast Courses Available
39 Courses, NetWars & More!
SANS 2017 Orlando, FL • April 7-14, 2017 www.sans.org/event/sans-2017
Live Simulcast Courses Available
38 Courses, NetWars & More!
SANS Security West 2017 San Diego, CA • May 11-18, 2017 http://www.sans.org/event/sans-security-west-2017
Live Simulcast Courses Available
SANSFIRE Washington, DC • July 24-29, 2017
Live Simulcast Courses Available
36 Courses, NetWars & More!
PROVE YOUR SKILLS STAY COMPETITIVE GET GIAC CERTIFIED!
“GIAC defines a higher level of mastery and skill that is required in order to earn the credential. GIAC really stands out among other security certifications.” —Josh Ringer, Benfis Health System 30+ Specialized certifications are available now, learn more at www.giac.org
Where to find the SANS Institute: Twitter: @SANSInstitute LinkedIn: SANS Institute Blogs: www.sans.org/security-resources/blogs
+
Webcasts: www.sans.org/webcasts Internet Storm Center: isc.sans.edu SANS Reading Room: www.sans.org/reading-room
9
Cyber Defense
Overview of Threat Categories
It seems that wherever you turn, organizations are being broken into and the fundamental question that everyone wants answered is “Why?” Why do some organizations get broken into and others not? Our Cyber Defense curriculum mission is to teach you what needs to be done to keep an organization secure. The Critical Security Controls outlined below will enable you to identify risk, determine highest priorities, focus in on the areas that really matter, and measure progress against established baselines to improve your overall security posture.
Critical Security Controls
V6.1
The Center for Internet Security (CIS) Critical Security Controls Version 6.1 CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises
10
To help through the process of cataloging any threats to information systems, four categories or families of threats have been identified. Those categories are as follows: PHYSICAL THREATS Includes: Threats to the confidentiality, integrity, or availability of information systems that are physical in nature. These threats generally describe actions that could lead to the theft, harm, or destruction of information systems.
RESOURCE THREATS Includes: Threats to the confidentiality, integrity, or availability of information systems that are the result of a lack of resources required by the information system. These threats often cause failures of information systems through a disruption of resources required for operations.
PERSONNEL THREATS Includes: Threats to the confidentiality, integrity, or availability of information systems that are the result of failures or actions performed by an organization’s personnel. These threats can be the result of deliberate or accidental actions that cause harm to information systems.
TECHNICAL THREATS Includes: Threats to the confidentiality, integrity, or availability of information systems that are technical in nature. These threats are most often considered when identifying threats and constitute the technical actions performed by a threat actor that can cause harm to an information system.
AN OODA LOOP PATCHING OBSERVE Track security bulletins, advisories ACT Rollout, Monitor, Manage “breakage”
ORIENT Access applicability, operational issues, risk
DECIDE Prioritize remediation strategy
AC GI
ST
UD Y
ST
LF SE
UL CA SIM
vL
IVE
MA DE
cyber-defense.sans.org
ON
CYBER DEFENSE CURRICULUM:
ND
Course Descriptions
SEC301: Intro to Information Security This introductory course is the fastest way to get up to speed in information security. The entry-level course includes a broad spectrum of security topics and real-life examples, and can be used to prepare for GISF Certification. sans.org/SEC301 SEC401: Security Essentials Bootcamp Style In this course, students learn the language and underlying theory of computer and information security. Since all jobs today require an understanding of security, this course will help you understand how security applies to your job. In addition, students will gain the essential and latest knowledge and skills required for effective management of security systems and processes.
sans.org/SEC401 SEC501: Advanced Security Essentials – Enterprise Defender A key theme of this course is that prevention is ideal, but detection is a must. Security professionals must know how to constantly advance security efforts in order to prevent as many attacks as possible. This prevention needs to occur both externally and internally via portable, network and server environments.
sans.org/SEC501 SEC503: Intrusion Detection In-Depth The purpose of this course is to acquaint students with the core knowledge, tools and techniques necessary to defend networks. Spanning a wide variety of topics, from foundational materials such as TCP/IP to detecting an intrusion, this training will provide students with in-depth knowledge on intrusion detection.
sans.org/SEC503 SEC505: Securing Windows and PowerShell Automation In SEC505 students learn to defend against pass-the-hash attacks, administrator account compromise, and the lateral movement of hackers inside the network by implementing the Critical Security Controls and PowerShell in a Windows environment. sans.org/SEC505 SEC506: Securing Linux/Unix Experience in-depth coverage of Linux and Unix security issues and examine how to mitigate or eliminate general problems that apply to all Unix-like operating systems. Specific configuration guidance and practical, real-world examples, tips, and tricks are provided to help students remove vulnerabilities.
sans.org/SEC506 SEC511: Continuous Monitoring and Security Operations The Defensible Security Architecture and Network Security Monitoring/Continuous Diagnostics and Mitigation/Continuous Security Monitoring taught in this course will best position your organization or Security Operations Center to analyze threats and detect anomalies that could indicate cybercriminal behavior.
sans.org/SEC511 SEC566: Implementing and Auditing the Critical Security Controls – In-Depth As threats evolve, an organization’s security should as well. To enable your organization to stay on top of this ever-changing scenario, SANS designed this course to train students how to implement the Twenty Critical Security Controls – a prioritized, risk-based approach to security that was designed by a master group of private and public sector experts from around the world.
sans.org/SEC566 SEC579: Virtualization and Private Cloud Security Learn best practices for configuring and designing virtual security controls and infrastructure, and determine how your vulnerability assessment and forensic processes can be updated to more accurately detect and manage risks in virtual and cloud environments. sans.org/SEC579
11
Penetration Testing What Makes SANS Penetration Testing Courses Special? In SANS penetration testing courses, you will learn in-depth, hands-on skills associated with the most powerful and common attacks today. For penetration testers, vulnerability assessment personnel, and Red Teamers, you’ll be able to apply your skills in your very next project, providing even more technical depth and business value. For cyber defenders, you’ll gain key insights into offensive tactics that will help you significantly improve your organization’s defenses. And, for forensic analysts, incident handlers, and Blue Teamers, SANS penetration testing courses will transform your understanding of your adversary’s methods and help you anticipate and counter the attacker’s next move.
What Is High-Value Penetration Testing and Why Is It Important? A high-value penetration test has several aspects: • It models the activities of real-world attackers… • To find vulnerabilities in target systems… • And exploits them under controlled circumstances… • Applying technical excellence to determine and document risk and potential business impact… • In a professional, safe fashion according to a carefully designed scope and rules of engagement… • With the goal of helping an organization prioritize. These skills will help every cyber security professional in their work of securing their organization.
Penetration Testing Resources pen-testing.sans.org/resources Twitter @SANSPenTest Blog pen-testing.sans.org/blog LinkedIn linkedin.com/company/sans-pentest
SPOTLIGHT ON SANS FACULTY FELLOW ED SKOUDIS
“Successful penetration testers don’t just throw a bunch of hacks against an organization and regurgitate the output of their tools. Instead, they need to understand how these tools work in-depth, and conduct their test in a careful, professional manner. Our courses explain the inner workings of numerous tools and their use in effective network penetration test and ethical hacking projects.” - Ed Skoudis
12
AC GI
ST
UD Y
ST
LF SE
UL CA SIM
vL
IVE
MA DE
pen-testing.sans.org
ON
PENETRATION TESTING CURRICULUM:
ND
Course Descriptions
SEC504: Hacker Tools, Techniques, Exploits and Incident Handling Modern attack techniques and their associated defenses are covered in this course, so that offense can inform defense to improve the state of security in your organization by preparing you to handle incidents caused by the latest threats. sans.org/SEC504 SEC542: Web App Penetration Testing and Ethical Hacking Through detailed, hands-on exercises, this intermediate to advanced level course will provide you with the skills needed to perform web app vulnerability discovery and exploitation for your organization. sans.org/SEC542 SEC560: Network Penetration Testing and Ethical Hacking In-depth pen testing skills learned in SEC560 prepare you to conduct professional-grade pen tests, end-to-end, including scoping, recon, scanning, exploitation, and postexploitation. sans.org/SEC560 SEC575: Mobile Device Security and Ethical Hacking Secure design, deployment, operation and pen testing of mobile devices and their associated infrastructures are the topics of this course. Top-notch lessons on device analysis, app exploitation, mobile device management and wireless infrastructures are included. sans.org/SEC575 SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques In this course you will experience intense web app and web services exploitation, diving deep into the mechanics of web app infrastructures and protocols to find and fix subtle yet hugely damaging flaws before the hackers do. sans.org/SEC642 SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking This course is designed to take your skills to a whole new level, with in-depth information and techniques about targeting network infrastructures, fuzzing to find vulnerabilities, exploiting crypto problems, writing and customizing exploits for Windows and Linux, and more. sans.org/SEC5660
INDUSTRIAL CONTROL SYSTEMS CURRICULUM: ics.sans.org ICS410: ICS/SCADA Security Essentials—SANS has joined forces with industry leaders to equip security professionals and control system engineers with the cybersecurity skills they need to defend national critical infrastructure. This course provides a foundational set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging threats. sans.org/ICS410 ICS515: ICS Active Defense and Incident Response—This course will help you deconstruct ICS cyber attacks, leverage an active defense to identify and counter threats in your ICS, and use incident response procedures to maintain the safety and reliability of operations. The course will empower students to understand their networked industrial control system environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security. This process of monitoring, responding to, and learning from threats internal to the network is known as active defense. sans.org/ICS515
13
With today’s ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime. Over 60% of all breach victims learn of a compromise from third-party notifications, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years. Adversaries are no longer compromising one or two systems in enterprises; they are compromising hundreds. Organizations of all sizes are in need of personnel that can master incident response techniques that can properly identify compromised systems, provide effective containment of the breach, and ultimately rapidly remediate the incident. Likewise, Government & Law Enforcement Organizations are in need of skilled personnel to perform media exploitation and recover key evidence available on adversary systems & devices. To help solve these challenges, organizations are relying on digital forensic professionals and cybercrime teams to piece together a comprehensive account of what happened. Whether your job requires you to generate accurate intelligence to detect current & future intrusions in your company’s network, or decrypt and analyze a suspect’s digital device that contains key evidence to solve your case, our DFIR courses are built under the premise that digital forensics, incident response, media exploitation and threat hunting teams are the keys to successfully identify evidence, mitigate a possible threat and provide comprehensive account of an incident. • • • •
Hunting for the adversary before and during an incident across your enterprise In-depth digital forensics knowledge of the Microsoft Windows and Apple OSX operating systems Examining portable smartphone and mobile devices to look for malware and digital forensic artifacts Incorporating network forensics into your investigations, providing better findings, and getting the job done faster Leaving no stone unturned by incorporating memory forensics during your investigations Understanding the capabilities of malware to derive threat intelligence, respond to information security incidents, and fortify defenses Identifying, extracting, prioritizing, and leveraging cyber threat intelligence from advanced persistent threat (APT) intrusions Recognizing that a properly trained incident responder could be the only defense an organization has during a compromise. As a forensics investigator, you need to know what you’re up against, and you need to have the most up-to-date knowledge of how to detect and fight it—that is what SANS DFIR classes will teach you.
• • • •
“I am a huge SANS fan, this is my second course and I plan on taking as many as I can fit into the company’s training budget for future years.” - Kurt Manke, Organic Valley
14
AC GI
ST
UD Y
ST
LF SE
UL CA SIM
IVE
DE
MA vL
digital-forensics.sans.org
ON
DIGITAL FORENSICS & INCIDENT RESPONSE CURRICULUM
ND
Course Descriptions
FOR408: Windows Forensic Analysis This course focuses on building in-depth digital forensics knowledge of the Microsoft Windows operating systems. You can’t protect what you don’t know about, and understanding forensic capabilities and artifacts is a core component of information security. Learn to recover, analyze, and authenticate forensic data on Windows systems. sans.org/FOR408 FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting This in-depth incident response and threat hunting course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivism. sans.org/FOR508 FOR518: Mac Forensic Analysis Mac Forensic Analysis aims to form a well-rounded investigator by introducing Mac forensics into a Windows-based forensics world. This course focuses on topics such as the HFS+ file system, Mac specific data files, tracking user activity, system configuration, analysis and correlation of Mac logs, Mac applications, and Mac exclusive technologies. sans.org/FOR518 FOR526: Memory Forensics In-Depth This is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases. In today’s forensics cases, it is just as critical to understand memory structures as it is to understand disk and registry structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand. sans.org/FOR526 FOR572: Advanced Network Forensics and Analysis There is simply no incident response action that doesn’t include a communications component any more - whether you conduct threat hunting operations or post-mortem incident response, understanding how systems have communicated is critical to success. Network data and artifacts is the key to success. sans.org/FOR572 FOR578: Cyber Threat Intelligence During a targeted attack, an organization needs a top-notch threat hunting or incident response team armed with threat intelligence to understand how adversaries operate and to counter the threat. This course will train you and your team in the tactical, operational, and strategic cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape. sans.org/FOR578 FOR585: Advanced Smartphone Forensics It is almost impossible today to conduct a digital forensic investigation that does not include a smartphone or mobile device. The smartphone may be the only source of digital evidence tracing an individual’s movements and motives, and can provide the who, what, when, where, why, and how behind a case. This course teaches real-life, hands-on skills that help handle investigations involving even the most complex smartphones currently available. sans.org/FOR585 FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques Understanding the capabilities of malware is critical to an organization’s ability to derive threat intelligence, respond to information security incidents, and fortify defenses. This popular course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger, and other tools useful for turning malware inside-out. sans.org/FOR610
15
DEV522: Defending Web Applications Security Essentials This is the course to take to learn how to defend web applications. Traditional network defenses, such as firewalls, fail to secure web applications. The quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure that data. sans.org/DEV522 DEV541: Secure Coding in Java/JEE: Developing Defensible Applications This course teaches students how to build secure Java applications and gain the knowledge and skills to keep a website from getting hacked, counter a wide range of application attacks, prevent critical security vulnerabilities that can lead to data loss, and understand the mindset of attackers. Learn foundational defensive techniques, cutting-edge protection, and Java EE security features you can use in your applications as soon as you return to work. sans.org/DEV541 DEV544: Secure Coding in .NET: Developing Defensible Applications This course will help students leverage built-in and custom defensive technologies to integrate security into their applications. Students will examine actual code, work with real tools, build applications, and gain confidence in the resources they need to improve the security of .NET applications. sans.org/DEV544
Audit Curriculum: AUD507: Auditing and Monitoring Networks, Perimeters and Systems This course is organized to provide a risk-driven method for tackling the enormous task of designing an enterprise security-validation program. After covering a variety of high-level audit issues and general audit best practices, the students will have the opportunity to dive deep into the technical how-to for determining the key controls that can be used to provide a level of assurance to an organization. sans.org/AUD507
Management Curriculum: MGT414: SANS Training Program for CISSP® Certification This course is designed to prepare you to pass the current CISSP® Certification Exam. It is an accelerated review course that assumes the student has a basic understanding of networks and operating systems and focuses solely on the eight domains of knowledge as determined by (ISC)2. sans.org/MGT414 MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression™ This completely updated course is designed to empower advancing managers who want to get up to speed quickly on information security issues and terminology. You won’t just learn about security, you will learn how to manage security. sans.org/MGT512 MGT514: IT Security Strategic Planning, Policy and Leadership This course teaches security professionals how to navigate the ever-growing world of security by developing strategic plans, creating effective information security policy, and developing management and leadership skills. sans.org/MGT514
Legal Curriculum: LEG523: Law of Data Security and Investigations This course will teach you the law of business, contracts, fraud, crime, IT security, IT liability and IT policy – all with a focus on electronically stored and transmitted records. The course also teaches investigators how to prepare credible, defensible reports, whether for cyber crimes, forensics, incident response, human resources or other investigations. sans.org/LEG523
16
AC GI
ST
UD Y
ST
LF SE
UL CA SIM
vL
IVE
MA DE
software-security.sans.org
ON
Software Security Curriculum
ND
Course Descriptions
Course Pricing
LIMITED TIME OFFER Ends January 18!
iPAD PRO or $500 OFF SPECIAL OFFER DETAILS: The SANS Online Training iPad Pro or $500 off offer is a fantastic opportunity to make the most of your training budget while getting an exciting new training tool with your course! More than 30 OnDemand and vLive online courses that are eligible for this offer can be completed from your own computer. Train from anywhere, anytime! Use your remaining training budget to complete cutting-edge information security courses AND receive an iPad Pro! All of SANS’ Online Training features the same expert instructors, courseware and exercises as live training.
This limited time offer is easy to redeem, and your iPad Pro will be shipped soon after your registration payment is received. Redeem this offer in three simple steps: 1. Visit www.sans.org/online-security-training/specials 2. Select an eligible OnDemand or vLive online course 3. Use your chosen discount code during checkout to receive either: • • • • •
To receive A Silver iPad Pro: MACA17_Silver To receive A Gold iPad Pro: MACA17_Gold To receive A Space Gray iPad Pro: MACA17_Gray To Receive A Microsoft Surface Pro 4: PCA17 To Receive A $500 Course Discount: 500A17
For more detailed information about our Online Training formats, see pages 2-7. iPad Pro and Microsoft Surface Pro 4 are only available to individuals in the United States or Canada. The $500 discount is available globally. This offer expires January 18, 2017, and payment must be received by this expiration date to participate in the offer. Allow up to 4 weeks for iPad Pro or Microsoft Surface Pro 4 delivery. Canada customers are responsible for paying any applicable duties, taxes or customs fees. This offer cannot be combined with any other offer or discount, including SANS Voucher Program. This offer does not apply when courses are incorporated into certain larger SANS-related special programs, including the graduate program of the SANS Technology Institute. SANS course offerings are subject to change at any time, please refer back to SANS.org for up-to-date course information. SANS shall not be held liable for students who elect marketing promotions or discounts that are not consistent with their employer’s Standards of Conduct and/or procurement standards. SANS reserves the right to substitute this offer for an alternative product, service or cash award of approximately equivalent retail value. iPad Pro is a trademark of Apple Inc., registered in the U.S. and other countries. Microsoft Surface Pro 4 is a registered trademark of Microsoft.
Cyber Defense and Penetration Testing: SEC301: Intro to Information Security SEC401: Security Essentials Bootcamp Style SEC501: Advanced Security Essentials - Enterprise Defender SEC503: Intrusion Detection In-Depth SEC504: Hacker Tools. Techniques, Exploits and Incident Handling SEC505: Securing Windows with PowerShell and the Critical Security Controls SEC506: Securing Linux/Unix SEC511: Continuous Monitoring and Security Operations SEC542: Web App Penetration Testing and Ethical Hacking SEC560: Network Penetration Testing and Ethical Hacking SEC566: Implementing and Auditing the Critical Security Controls - In-Depth SEC575: Mobile Device Security and Ethical Hacking SEC579: Virtualization and Private Cloud Security SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking Digital Forensics & Incident Response: FOR408: Windows Forensic Analysis FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting FOR518: Mac Forensic Analysis FOR526: Memory Forensics In-Depth FOR572: Advanced Network Forensics and Analysis FOR578: Cyber Threat Intelligence FOR585: Advanced Smartphone Forensics FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques Security Management: MGT414: SANS Training Program for CISSP® Certification MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression™ MGT514: IT Security Strategic Planning, Policy and Leadership Software Security: DEV522: Defending Web Applications Security Essentials DEV541: Secure Coding in Java/JEE: Developing Defensible Applications DEV544: Secure Coding in .NET: Developing Defensible Applications IT Audit: AUD507: Auditing & Monitoring Networks, Perimeters and Systems Legal Security: LEG523: Law of Data Security and Investigations Industrial Control Systems: ICS410: ICS/SCADA Security Essentials ICS515: ICS/SCADA Advanced Course Course prices are subject to change. Visit www.sans.org/online-security-training for regularly updated information.
$5,130 $5,910 $5,910 $5,910 $5,910 $5,820 $5,910 $5,910 $5.910 $5,910 $5,130 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,910 $5,240 $5,530 $5,130 $5,820 $4,640 $4,640 $5,820 $5,130 $5,450 $5,710
17
Compare the Features of All 4 Online Training Formats: Available Course Options
The 4 Coolest Jobs in Information Security
OnDemand
vLive
Simulcast
SelfStudy
Taught by an Unparalleled Faculty of Information Security Leaders
Custom Courseware Written for SANS, Including Books, CDs and Exercises
E-Learning Platform Available for 4 Months
Live Evening Meetings for 5 or 6 Weeks
Subject-Matter Expert Support
Real-Time Access to Instructors
Recommended SANS Courses FOR408: Computer Forensic Investigations - Windows In-Depth FOR508: Advanced Computer Forensic Analysis and Incident Response
6 Mo.
4 Mo.
4 Mo.
Virtual Lab Access
4 Mo.
6 Mo.
4 Mo.
4 Mo.
6 Mo.
4 Mo.
Minimal Impact on Your Normal Routine
Flexible & Effective SANS Training from Your Own Computer
No Travel Cost
Recommended SANS Courses MGMT414: SANS Training Program for CISSP® Certification MGMT515: SANS Security Leadership Essentials for Managers with Knowledge Compression™ MGMT525: IT Project Management, Effective Communication, and PMP® Exam Prep
4 Mo.
Online Voucher Credits May Be Applied to Course Fees
Why It’s Cool Directors of Security are the ones who decide where to build the “watch towers”, how many rangers are stationed in the park, where fires can be safely built, and what the greater rules of engagement are. Their experience gives them a high-level and vital view of the risks involved in doing business, and they are trusted to focus on business goals and remove threats to achieving those goals.
MP3 Archives of Instructor Lectures Archived Live Course Recordings
Job Description Today’s Chief Information Security Officers are no longer defined the way they used to be. While still technologists, today’s CISO/ ISO’s must have business acumen, communication skills, and process-oriented thinking. They need to connect legal, regulatory, and local organizational requirements with risk taking, financial constraints and technological adoption.
Watch the quick video comparison of SANS’ Online Training formats at www.sans.org/online-security-training
SOC (Security Operations Center) Analyst Job Description The SOC Analyst is responsible for assessing and monitoring the organization’s computer network and information systems to ensure that they are properly defending against attacks. The Analyst’s role includes proactively defending an organization, fixing vulnerabilities before they are exploited by an adversary AND reactively detecting attacks, determining how the adversaries break in, and defending the organization to contain and control the amount of damage that is caused. Why It’s Cool The SOC is typically the first line of defense and responsible for keeping an organization’s most critical assets protected and secure. Being on the front line, watching attacks and being able to react in real time is one of the most exciting areas of cyber security. Catching attacks in progress and correcting vulnerabilities make a real difference in protecting an organization
Prove Your Skills | Stay Competitive | Get GIAC Certified! “GIAC is the only certification that proves you have hands-on technical skills” - Christina Ford, Department of Commerce More than 30 Specialized certifications are available now. Learn more at www.giac.org
MANAGEMENT
CISO/ISO or Director of Security
Job Description This expert analyzes how intruders breached the infrastructure in order to identify additional systems/networks that have been compromised. Investigating traces left by complex attacks requires a forensic expert who is not only proficient in the latest forensic, response, and reverse engineering skills, but is astute in the latest exploit methodologies. Why It’s Cool In the private world, the security guy just cleans up the mess to try and keep the ship afloat, but when criminals strike, the crime investigator gets to see that the bad guys go to jail. Want to see the face of your enemy... behind bars? It’s a thrill like no other - being pitted against the mind of the criminal and having to reconstruct his lawless path.
Live Daytime One-Week Courses Integrated Quizzes to Reinforce Learning
Information Security Crime Investigator/Forensics Expert
Recommended SANS Courses SEC401: Security Essentials Bootcamp Style SEC501: Advanced Security Essentials - Enterprise Defender SEC502: Perimeter Protection In-Depth SEC503: Intrusion Detection In-Depth SEC511: Continuous Monitoring and Security Operations
Online Training Formats OnDemand
IT Security Training Roadmap The IT Security Training Roadmap inside is a representation of the studies needed to advance your career in seven paths of information security. Use this guide to plan your personal growth in the industry.
System, Network, Web Pen Tester Job Description This expert finds security vulnerabilities in target systems, networks, and applications in order to help enterprises improve their security. By identifying which flaws can be exploited to cause business risk, the pen tester provides crucial insights into the most pressing issues and suggests how to prioritize security resources.
ENTER
Learn more go to http://www.sans.org/20coolestcareers
www.sans.org/ondemand
OnDemand is a custom-made, comprehensive e-learning platform that allows you to complete SANS Institute training from anywhere in the world, at any time. More than 30 pre-recorded SANS courses are packaged and accessible for four months with OnDemand enrollment. Using the course presentation slides, audio from lectures, video demonstrations, quizzes and labs, along with support from live Subject-Matter Experts, the OnDemand learning experience will help you master a subject in all of its depth and complexity.
vLive
| vLive
www.sans.org/vlive
vLive is a live evening classroom course format that gives you the structure and interaction of a live course, along with the flexibility and repetition of an online course. Weekly meetings and six months of access to all course recordings and materials allow vLive students to have the best of both live and online training.
Simulcast
| Simulcast
www.sans.org/simulcast
Simulcast allows students who cannot travel to a live SANS event to experience the one-week live course via remote access. Students log in to the online classroom and experience an interactive and hands-on learning program, without traveling. All of the course books and materials are also provided.
SelfStudy
| SelfStudy
www.sans.org/selfstudy
SelfStudy online training provides students with SANS course books, exercises, lecture MP3s, and quizzes for a self-paced learning experience.
Why It’s Cool There is nothing like finding the magic back door that everyone says isn’t there! The power to understand how systems can be penetrated and misused is something less than one percent of people in the entire security industry know, let alone the average citizen. Recommended SANS Courses SEC504: Hacker Tools, Techniques, Exploits & Incident Handling SEC542: Web App Penetration Testing and Ethical Hacking SEC560: Network Penetration Testing and Ethical Hacking SEC575: Mobile Device Security and Ethical Hacking SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses SANS Core NetWars
| OnDemand
Discover a Path to Success with SANS The Most Trusted Name in Computer Security Education, Certification and Research
OnDemand Bundles—It’s also possible to add the features of OnDemand to a live course. If you plan to attend a one-week course at one of SANS’ many live events, consider adding an OnDemand Bundle to get extended access to the course archives, the custom e-learning platform to manage your progress and continuous support from Subject-Matter Experts. www.sans.org/ondemand/bundles OnSite Simulcast courses can also be arranged to meet your organization’s custom or private training needs. Visit www.sans.org/onsite for more information.
S A N S
I T
S E C U R I T Y
S E C U R I T Y
Y O U R D
C
Penetration Testing
SEC401
SEC301 NOTE: If you have experience in the field, please consider starting with our more advanced course – SEC401.
A N D
C U R R I C U L U M
Network Security
Beginners
T R A I N I N G
E U
V R
E R
L O P E R I C U L U M
Security Essentials Bootcamp Style
Advanced Security Essentials – Enterprise Defender
SEC301
Intro to Information Security
DEV522
R
E R
N S I C S I C U L U M
FOR408
M A N A G E M E N T C U R R I C U L U M SEC301
SEC504
Hacker Tools, Techniques, Exploits, and Incident Handling
SEC401
Intro to Information Security
Security Essentials Bootcamp Style
I T A U D I T C U R R I C U L U M SEC566
Implementing & Auditing the Critical Security Controls – In-Depth
SEC504
SEC566
Hacker Tools, Techniques,Exploits, & Incident Handling
Implementing & Auditing the Critical Security Controls – In-Depth
DEV541
SEC560
Network Pen Testing and Ethical Hacking
System Administration
SEC542
Web App Pen Testing and Ethical Hacking
SEC575
Mobile Device Security and Ethical Hacking
Secure Coding in Java/JEE: Developing Defensible Applications
MGT512
In-Depth FOR610
FOR508
DEV544
Secure Coding in .NET: Developing Defensible Applications
Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Advanced Digital Forensics and Incident Response
SANS Security Leadership Essentials For Managers with Knowledge Compression™
AUD507
Auditing Networks, Perimeters, and Systems
SEC401
OnDemand
Security Essentials Bootcamp Style
FOR572
SEC660
SEC501
SEC505
Advanced Security Essentials – Enterprise Defender
SEC579
Securing Windows and PowerShell Automation
Virtualization and Private Cloud Security
Advanced Pen Testing, Exploit Writing, and Ethical Hacking
SEC506
Securing Linux/Unix
SEC642
Advanced Web App Pen Testing and Ethical Hacking
SEC617
Wireless Ethical Hacking, Pen Testing & Defenses
FOR578
Advanced Network Forensics and Analysis
Cyber Threat Intelligence
Specialized SEC542
Web App Pen Testing and Ethical Hacking
Specialized MGT414
SANS Training Program for CISSP® Certification
SEC642
Advanced Web App Pen Testing and Ethical Hacking
MGT514
IT Security Strategic Planning, Policy and Leadership
Specialized FOR518
Simulcast
Mac Forensic Analysis
Incident Handling
Intrusion Analysis
SelfStudy
FOR526
Security Essentials Bootcamp Style
Security Essentials Bootcamp Style
SEC501
SEC501
Advanced Security Essentials – Enterprise Defender
SEC502
Perimeter Protection In-Depth
SEC503
Intrusion Detection In-Depth
FOR508
Advanced Computer Forensic Analysis & Incident Response
SEC511
Continuous Monitoring & Security Operations
Advanced Security Essentials – Enterprise Defender
FOR508
Advanced Computer Forensic Analysis & Incident Response
L E G A L C U R R I C U L U M
MGT305
SEC401
SEC401
Many of these courses are also offered at live events! Visit www.sans.org for a complete listing of SANS events.
U
R
Windows Forensic Analysis
Secure Coding
vlive
C
O
Core
Defending Web Applications Security Essentials
SEC501
F
R O A D M A P
Core
SEC401
Security Essentials Bootcamp Style
C A R E E R
SEC504
Hacker Tools,Techniques, Exploits, and Incident Handling
I N D U S T R I C O N T R O S Y S T E M C U R R I C U L
A L L S U M
FOR585
Memory Forensics In-Depth
Advanced Smartphone Forensics
Technical Communication and Presentation Skills for Security Professionals
MGT535
ICS410
ICS/SCADA Security Essentials
Incident Response Team Management
ICS515
ICS Active Defense and Incident Response
SEC401
Security Essentials Bootcamp Style
OnDemand
SelfStudy
vLive
Simulcast
MGT415
A Practical Introduction to Cyber Security Risk Management
LEG523
Law of Data Security and Investigations