Security Laboratory

Security Laboratory

Security Leadership Essentials Fairway Markers

By Stephen Northcutt
Version 1.1

GSLC - CO Name

These are the sections that make up the latest SANS Security Leadership Essentials Course (Management 512)

2010_1226 page #
Business Situational Awareness The manager will demonstrate familiarity with the concept of situational awareness and the fundamental sources of information that lead to business situational awareness. Day1
To align security with the needs of the business, you must know company financials and products, you must know the business
Factors that reduce business situational awareness
Temet Nosce: know your strengths and weaknesses
Time Management
Several important objectives: employees with 20 objectives are not accountable
Budgeting Approaches ( top down, bottom up, negotiated, devolving)
Project Management For Security Leaders The manager will be familiar with the terminology, concepts and five phases of project management and the role of a Project Management Office in IT/IT Security. 30-45
Project management terms
Phases of project management
Monitor, Control, Conflict Resolution, Change Management
Staying on top of execution is key to bringing tasks to close
Closing out
The Network Infrastructure (+) The manager will demonstrate the ability to communicate the fundamental technologies and concepts that describe LAN and WAN network infrastructure. 47-76
OSI Model (frequently used in troubleshooting)
TCP Model
Network Components
VLANS and how they support DiD
Network segmentation
Physical and Logical topology
Major Physical topologies Ethernet and ATM
VOIP Basics, Security Implications, availability issues, and threats
Computer and Network Addressing The manager will demonstrate an understanding that computers have a variety of names and addresses on a network and this must be managed. 77-84
MAC Addresses and OUIs (built into NIC, only last for one hop)
IP addresses and Subnet masks (network and host portion)
CIDR Addressing
Broadcast addresses
Private Addresses strongly recommended
DNS (+) The manager will understand how the domain name system works and is managed. 85-96
Host table (how it can be used against you or to protect you…. Relationship to DNS)
How a DNS query works, your DNS server, root server, authoritative server
Function calls gethostbyaddr, gethostbyname
Cache Poisoning - dangers of attacker controlling namespace
Domain Hijacking -- procedural and technical controls to prevent
Cyber Squatting
Protecting Domain Names
Nslookup and queries (reverse lookup may give away your intentions if attacker controls the nameserver)
IP Terminology and Concepts (+) The manager will demonstrate an understanding of the terminology and concepts of IP protocols and how they support the Internet. 98-130
What is a network protocol
Packets vs Frames
IP and important fields
Server and client ports
TCP Model
TCP 3 Way Handshake, connection establishment
Ping, Traceroute/tracert and their uses
Application Layer Security Protocols
Manager's Guide to Assessing Network Engineer The manager will understand how to assess the ability of a network engineer to understand network traffic 131-148
Done at the job interview
Give them the handout and sample packet
Ask them about embedded protocol and to read the fields
You have the "teacher's edition" to check their work
Vulnerability Management - Outside View (+) The manager will understand common approaches used to gather network intelligence from organizations using commonly available tools and methods across a network. 150-186
Manager's role in prioritizing remediation
Risk of not remediating after knowing about vulnerability
Inside view, outside view, user view
Threat Vectors - relation to DiD
Threat Concerns
How to do a scan, process, dos and don'ts
Why war dialing is still important, tools
Scanning techniques (port, stealth, tcp/udp, passive)
Basic Hacker Process
Exploitation tools versus vulnerability scanners
Role of penetration testing in vulnerability management
Vulnerability Management - Inside View (+) The manager will understand common approaches used to gather network intelligence from organizations using commonly available tools and methods directly from the system. 187-192
Inside view, tools, approach
Vulnerability Management - User View (+) The manager will be able to factor in the impact the user can have on an organization's risk posture. 193-215
Awareness and Inoculation
Social Engineering
P2P and IM dangers and controls
Managing PDA Infrastructure The manager will understand the critical issues related to data stored on Personal Digital Assistant devices. 216-222
Security Threats
Centralized Management versus Individual Device Management
Safety The manager will demonstrate the ability to articulate the needs of the information technology and security program to the parts of the organization responsible for safety. 224-233
Safety first, security second
Evacuation preparation and procedures
Safety walkthrough
Facilities and Physical Security (+) The manager will demonstrate the ability to articulate the needs of the information technology and security program to the parts of the organization responsible for facilities and physical security. 234-264
Smoke and Fire basics
Physical Security basics
Lock types (traditional, cipher lock, magnetic cards, smart cards, biometric)
Detection of unauthorized access
Power basics
Cooling, hot spots
Managing the Procurement Process The manager will demonstrate knowledge of the management responsibility for vendor selection through the primary phases of the procurement process and learn how to provide oversight into requirements analysis, price paid, and analysis of ROI at the one year point. 265-294
Vendor and Product Selection, ricochet response
Trade show tips (slide)
Difference between price and value
Negotiating with vendors (vendor honesty and key negotiating points)
Product support and outsourcing
Mitnick vs. Shimomura The manager will demonstrate familiarity with the details of the famous Mitnick-Shimomura attack. Day2
DoS, so legitimate IP does not complain
Sequence number prediction
IP address spoofing
Disable defenses
Methods of Attack (+) The manager will demonstrate an introductory understanding of the most common attack methods and the basic strategies used to mitigate those threats. 15-66
Malicious Code (Trojan horses, logic bombs, trapdoors)
Logic bomb - Roger Duronio
Denial of Service (centralized p2p, distributed, physical) (2 basic forms: resource exhaustion and unexpected value)
Infrastructure, satellite, undersea cables, fiber optic trunks
MITM and Replay attacks
Physical Attacks
Buffer Overflow key concepts
SPAM and e-mail flooding
Phishing and spear phishing
Race conditions (timing attacks)
Browsing, Enumeration, and Traffic Analysis
Malicious Software (+) The manager will demonstrate an ability to articulate what malicious code is, the common types of malicious code, how it propagates, and why it is such an expensive problem 67-91
Virus types and characteristics, require user action to spread
Worm characteristics, does not require user action to spread
Trojan Horse characteristics
Malicious Browser Content and Hybrid threats (Browser was never designed to be a security gateway)
Propagation techniques
Malware Defense Techniques
The Intelligent Network (+) The manager will demonstrate an understanding of the differences between a typical traditional network design and the new components that are part of an intelligent network. 92-151
Type 1 and Type 2 virtualization
Unified Threat Management (features, drawbacks, selection criteria)
Basic troubleshooting (troubleshooting UTM)
Firewall types and the default rule
Ingress/Egress filtering
IPS and IDS basics, alert types, and importance of detection
Signature Analysis, Anomaly Analysis, and Application/Protocol Analysis
Managing NIDS Cost (deployment and maintenance)
HIPS and NIPS basics
Endpoint Security (+) The manager will understand the issues related to defending Windows desktops and laptops 152-191
Browser defense, plugins, testing
Anti-virus has reached its limit
Endpoint White list
3rd party applications - Secunia PSI
Logging (+) The manager will learn the foundations of how logging works, options for collection and processing and the uses for correlation technology 177-191
Thin and fat events, referential data
Raid 5, raid 10
Defense-in-Depth The manager will demonstrate an introductory understanding of the terminology and concepts of Risk and Defense-in-Depth including threats and vulnerabilities. 193-241
Terminology (risk, threat, attack surface)
Security Architect
Architectural Process, zones, checkpoints
Risks associated with connecting USB or Portable devices, or using them as copying devices
Uniform Protection DiD (least important type)
Protected Enclaves DiD
Information Centric DiD
Vector Oriented DiD
Role Based Access Control
Managing Security Policy (+) The manager will demonstrate the ability to assess current policy, identify overall security posture of organization, ensure that existing policy is applicable to organization's needs and modify policy as required. 243 - 283
Policy Benefits
Policy development tools (standards, guidelines, frameworks, mission statement)
Security Posture and Culture
Issue-specific policy
Policy assessment - SMART
Access Control and Password Management (+) The manager will demonstrate an understanding of the fundamental theory of access control and the role of passwords in controlling access to systems 285 - 349
Terminology (identity, authentication, authorization, least privilege, need to know, separation of duties, rotation of deities, data owner, single sign on, )
Access control models (DAC, MAC, RBAC)
Best Practices (implicit deny, least privilege, separation of duties, job rotation)
Centralized Access Control Technologies (Active directory, RADIUS)
Biometric Basics
Passwords, Hashes and limitations of windows hashes
Password cracking
Strong Password Policy (what it is and why it's needed)
Cryptography Fundamentals (+) The manager will demonstrate a basic understanding of the fundamental terminology and concepts of cryptography. Day3
Opsec problem: Enigma Purple defeated by poor operations
Depend on secrecy of the key, not the algorithm (DVD)
Key management is weakest link
XOR operations
Techniques (substitution, permutation, hybrid) (must be combined very carefully to produce strong crypto)
Cipher types (stream and block)
General Types of Cryptosystems (+) The manager will demonstrate a high level understanding of the three general types of cryptosystems (symmetric, asymmetric, hash) and their security uses. 27-51
Secret Key Crypto (symmetric/one key crypto)
Public Key Crypto (Asymmetric/two key crypto)
One way hash functions
Goals of each type of crypto system (CIA + non-repudiation)
Cryptography Algorithms and Concepts (+) The manager will demonstrate an introductory level understanding of several crypto algorithms and the concepts behind secure ciphers. 52-78
Concepts in crypto (computational complexity, intractable problems, public scrutiny)
DES (56 bit key space considered insecure, symmetric block cipher)
RSA vs. DES (asymmetric vs. Symmetric) characteristics
ECC usage and vulnerabilities
Crypto Attacks (known plaintext, chosen plaintext, adaptive chosen plaintext, cipher text only, chosen cipher text, chosen key)
Cryptography Applications, VPNs and IPSec (+) The manager will demonstrate an understanding of how cryptography can be used to secure a network and how Pretty Good Privacy (PGP) works, and be introduced to VPNs, IPSec and Public Key Infrastructure (PKI). 80-134
VPN types (site to site, client VPN)
VPN technologies (SSL, SSH )
VPN components and placement issues
IPSEC Headers (AH and ESP)
IPSEC modes (transport and tunnel)
PPP Basics
Web of Trust (can apply to linkedin or facebook, or people you know)
Key management (public key distribution, private key storage)
Encrypting mail with PGP (which key encrypts decrypts)
PKI CA Hierarchy
Client and Server side certificate uses
PKI Problems (revocation is biggest problem)
Wireless Advantages and Bluetooth (+) The manager will demonstrate an understanding of the advantages that make wireless technology ubiquitous and be introduced to Bluetooth wireless technology. 136-145
Wireless Advantages
Bluetooth protocol fundamentals (PIN, discovery mode )
Attacks (bluesnarf, bluejack, sniffing)
Bluetooth defenses (non-discoverable mode, auditing, pairing in trusted environment, strong PINS)
802.11 (+) The manager will demonstrate an understanding of the misconceptions and risks of 802.11 wireless networks and how to secure them. 146-177
Types of wireless and their frequencies
WEP Weakness
Security Technologies (WPA, 802.11i, 802.1x, and EAP)
Threats (Eavesdropping, Wardriving, Masquerading, DoS, Rogue AP)
Airborne viruses, cabir
Securing and Protecting wireless best practices
Steganography (+) The manager will demonstrate an understanding of the concepts and techniques behind steganography and be introduced to steganographic tools and defensive techniques. 179-206
Differences from crypto and why detecting stego is more difficult
Methods (injection, substitution, file generation)
Managing Privacy (+) The manager will demonstrate familiarity with the privacy concerns that customers typically have and solutions that can be used to improve their customers' privacy. 208-235
Personally Identifiable Information (PII)
OECD Privacy Principles
Significant cases
Privacy Certification (TRUSTe, WebTrust, BBB Online Privacy Seal) (proof of due dilligence)
Web Communications and Security (+) The manager will demonstrate an introductory understanding of web application communications, security issues, and defenses. 237-309
Protocol basics (HTTP, HTTPS)
HTTPS security misconceptions
CGI and State/Cookie basics
JavaScript Object Nation
Proxy modification of cookies
Cross Site Scripting
SQL Injection (stored procedures and input validation to mitigate)
SOA (Exposes business logic)
Defensive OPSEC The manager will demonstrate an understanding of what OPSEC is and the techniques used in defensive Operational Security. 311-327
OPSEC Defined
3 laws
Employee issues (monitoring, screening, agreements, need to know, least privilege)
Sensitive information (labeling, handling, and access)
Offensive OPSEC The manager will demonstrate an understanding of OPSEC principles by learning offensive OPSEC techniques. 329-364
Limiting publicly available info (email and web)
Differentiate between espionage and competitive intelligence
Sources for researching corporate information
Key Google searching techniques (ext, intitle, site, link, cache, related, inanchor, info)
Competitive intel tools and features (,, nslookup, tracert, geobytes, wayback machine, Dun and Bradstreet)
Using press releases
Info on Individuals (google, intelius, credit reporting)
Managerial Wisdom The manager will demonstrate an understanding of some of the most effective business techniques from the most acclaimed books. 366-376
Know the 7 Habits of Highly Effective People
Key Concepts from Good to Great ( First Who, then What, Hedgehog Concept, Flywheel, Level 5 leader)
Building a Security Awareness Program (+) The manager will demonstrate an understanding of the critical elements of creating and managing a Security Awareness Program. Day4
Security Awareness Goals (changing user behavior)
Metrics for Security Awareness Programs
General approach to training
Know what NIST SP 800 - 50 is
Managing Software Security (+) The manager will demonstrate the ability to build security into the software development process. 13-26
Architectural Issues
Best Practices (safe defaults, modular code, user accountability, error handling)
Understand basics of common implementation flaws at a high level
Code Review (Manual, Automated, Hybrid, SDLC Integration)
Honeypots, Honeynets, Honeytokens, Tarpits (+) The manager will demonstrate an understanding of basic honeypot techniques and common tools used to set up honeypots. 28-40
Honeypots defined and types (host, network, service, honey token)
Benefits and Drawbacks of using honeypots
Legal Issues
Technologies (Virtualization, honeynet project, labrea tarpit)
Managing Intellectual Property (+) The manager will demonstrate the ability to identify and protect intellectual property and intangible assets. 42-123
IP defined
Copyrights (defined, fair use, attacks, defenses)
Digital Rights Management (Sony XCP, CSS)
Trademarks and Service marks (defined, registration, attacks)
Trade secrets and know how (defined, how to identify)
Intellectual Property Valuation
Attacks on IP (insider threats, cybersquatting)
How to protect IP (NDA, non-compete, need-to-know, control publicly released info, label information, monitor outgoing traffic, watermarks, Internet searches, best practices)
Change Management and Security (+) The manager will demonstrate the ability of identifying the signs of poor change management, understanding the risks to the organization, and developing a program to improve operations. 124-147
Relationship between undocumented changes and network instability
Indicators of change management problems
Repeatable builds
Tracking unplanned work
Incident Handling Foundations (+) The manager will demonstrate an understanding of the concepts of incident handling and the six-step incident handling process. 149-193
Incident Handling and Incidents defined
Recognizing incidents (if you detect zero, maybe you are not detecting)
Six Step Incident Handling Process Defined
Preparation Phase - how to in detail
Identification Phase - steps to recognize and incident in detail
Containment Phase - how to contain the incident in detail (make a backup)
Common IH Mistakes
Incident Handling and the Legal System (+) The manager will demonstrate an understanding of the basic legal issues in incident and evidence handling. 194-214
Types of law (regulatory, criminal, civil)
US Title 18 Section 30
Search and Seizure (with and without warrant)
Chain of Custody
Evidence collection (real, direct, best, relevant, reliable, integrity, sign and seal)
Information Warfare The manager will be familiar with the techniques, examples of, and theory of information warfare. 216-246
Perception Management
Malicious code blitz
Predictable Response
Currency Destabilization
Disaster Recovery / Contingency Planning (+) The manager will demonstrate the ability to lead the BCP/DRP team and realistically plan for Business Continuity and Disaster Recovery. 246-290
BCP (definition and components)
DRP (definition and components)
Key Elements of continuity planning
Business Impact Analysis
Top BCP/DRP Planning Mistakes
Managing Ethics The manager will demonstrate familiarity with ethical issues and guidelines pertaining to IT security. 292-323
Ethics Terminology (Ethics, Morals, Policy, Laws, Culture)
Ethical Leadership (managers)
Seven signs of ethical collapse
48 laws of power (concept of amorality: win at any cost)
Risk Management and Auditing The manager will demonstrate an understanding of how to evaluate and manage risk. 325-376
Types of Risk
Terminology (Risk, threat, vulnerability, SDLC)
Acting on the risk (accept, mitigate, transfer, avoid)
Calculating Single Loss Expectancy (SLE)
Calculating Annualized Loss Expectancy (ALE)
Difference between qualitative and quantitative approaches
Best Practices (templates, group policy, hotfixes,,
Briefing Management
Analysis types (SWOT, Cost Benefit, Weakness Gap, Threat Gap)
Acceptable Risk (who decides)
Managing the Mission The manager will demonstrate an understanding of how mission statements and policy keep organizations on track and how security relates to the mission. Day5
Mission Statement
Security Frameworks The manager will be familiar with the basic structure and approach to implementation of COBIT and ISO 27002 as well as practical tools to help implement the standard 12-25
ISO 27002 / ISO 17799 defined
Understand security's relationship to the organizations mission
Selling Security The manager will understand the basics of the sales process and how to sell a security program to senior management 26-32
Selling A Security Program to upper management
Strategic Information Systems Plan
Quality The manager will learn the basics of continuous product improvement and Deming's 14 points 33-43
Deming’s 14 points
Deming out of crisis
Process Improvement
Managing IT Business and Program Growth in a Globalized Marketplace The manager will demonstrate an understanding of the key factors affecting globalization and the fundamental principles to managing an IT business and achieving sustainable growth 44-79
Potential barriers to global communication and business
5 specific cultural points shaking hands . . .
2050 largest economy
Value Added Tax (defined and benefits)
Three Cs (customer, cost, community)
Four Ps of Marketing(product, price, promotion, position)
Location (physical and virtual)
Key Business Concepts (Continuous Process Improvement, strategic and disruptive innovation
Security and Organizational Structure The manager will demonstrate an understanding of how security integrates into organizational structure and be familiar with guidelines for recruiting and hiring IT staff. 80-109
Potential conflict of interest for CISO/CSO to report to CIO
Capacity Analysis and Methods for Increasing Capacity
Employee Discipline and Termination
Filling positions (recruitment, hiring, interviews, 1099)
Employee Performance (measuring, diagnosing causes of failure)
Employee retention, compensation, and promotion.
Managing the Total Cost of Ownership The manager will demonstrate an understanding of how to apply TCO to analyze proposed solutions over their entire life cycle as well as be able to identify main areas of cost for a given project. 110-139
Direct costs and Indirect costs
Depreciation (straight line, sum of years)
SDLC disposal phase (grave costs)
TCO (defined, how to calculate)
Managing Negotiations The manager will demonstrate familiarity with the guidelines of sound negotiation practices. 140-163
Distributive Bargaining (BATNA, ZOPA, claiming value, anchoring point)
Integrative Bargaining (principled, mutual gains, win-win)
Negotiation Keys (internalization, change, authority, price vs value, speed, walking away)
Good negotiation is win-win.
Managing Legal Liability (+) The manager will demonstrate an understanding of how to use due diligence to manage an organization's legal liability with emphasis on fraud and IT issues. 164-195
Types of Fraud (internal, customer, credit card, accounting, telecom)
Indicators of Fraud
Downstream liability and contributory negligence (related to DiD and due dilligence)
Common Damages
Zublake standard, eDiscovery
Best Practices for Managing Liability
Managing Technical People The manager will demonstrate an understanding of the techniques that can be used to communicate with and manage technical staff. 196 -227
E-mail (business record, retention policy, when to use other comms)
Value of Metrics
Meeting (best practices)
Understand the power dynamic between technical staff and management
Listening to and Understanding technical people
Encouraging Closure of projects