SANSFire 2008 – Audit 507, Day 5 – Windows

Day 5: Auditing Windows systems. Not really a lot of earth-shattering news here today. Having been exposed to Windows tools like MMC, Security Policies and Group Policies, and the Event Viewer for years now, I was in pretty familiar territory. There were some reminders (why LM hashes are bad, what to do about them if you still have them) and some new ideas (methods for baselining a system and taking periodic diffs to compare, moving forward), but no real “aha moments” for me. Not that I’m complaining, mind you. I’ve had enough new stuff for now. At least today my brain did not feel like it was completely overflowing.

I also took a sneak peek at tomorrow’s book on auditing Unix. Familiar stuff there too. (*phew!*)

SANSFire 2008 – Audit 507 – Day 3

Day three – Auditing Networks, done. Today we covered what it takes to audit a network, including those little things called modems. Remember them? You used to used them to do stuff like, send faxes, connect to your local BBS, or get dial-up Internet access! And, if you’re a poor, unfortunate soul who lives in Vermont, odds are pretty good that you still use one of those modems for dialup access. (Not that I would know anything about that.) Continue reading “SANSFire 2008 – Audit 507 – Day 3”

SANSFire 2008 – Audit 507 – Day 2

Today we covered what it takes to audit Cisco (and other) routers and firewalls. I learned a couple of new things about Cisco IOS, but in auditing, we are mainly concerned with ensuring that things are doing what they’re supposd to do, not necessarily configuring or doing in-depth troubleshooting.

Again, we covered tips and techniques to help admins appreciate what the role of an auditor is, and to demonstrate that we’re not “the enemy,” but here to help.

We did a few exercises, including analyzing a router config file (in which every single line of the IOS has errors), reviewing a firewall ruleset with similar errors, and conducting a sample audit on a network of virtual machines. I was exposed to a couple of new (to me) tools made specifically for auditing Cisco routers, RAT and Nipper, which analyze configurations for common problems and present them in a (sometimes) easy to understand report.

The exercises are not as tough as some other training I’ve had, by far, but at the end of the day, I’m definitely feeling that I’ve absorbed enough that I need to take a break and unplug for a while, which is a good thing.

SANSFire 2008 – Audit 507, Day 1

My first day of classes here at SANSFire 2008, where I’m taking their Audit 507 course, is going well. Not having any formal audit training, but still knowing something of the basics (so I thought, anyway), I decide to take the 500-level course as opposed to the intro to auditing. So far, I am happy with this choice, as the first day, which is supposed to get everyone from different auditing backgrounds on the same page with terminology and goals, is not strange to me.

The hotel is nice, and the staff are helpful. However, in order to prepare my Medifast meals I need to use a microwave oven down in the food court area, which is somewhat inconvenient – especially since 3 out of 5 meals a day require heat.

My room’s pretty good too, except there is no refrigerator in it! I’m compensating by maintaining a bucket of ice at all times. Also, the safe is in a drawer which didn’t want to fully open until I really worked to pry it, fortunately without breaking anything.

Allegedly tomorrow’s class, focusing on firewalls and Cisco routers, is the most technical day, and the ones that most folks complain about. Sounds like fun! (no, really!)