ApplIC AblE SEC TIOnS In COmplIAnCE mAndATES

Most guidance simply tells enterprises which standards apply. SANS Compliance Map provides the specific section references to help ensure you get compliance AND security.
Wall 1.1
pCI/dSS 6.3.6 6.3.7 6.6 SOX A12.8 GlbA 16CFR Part 314.4(b) & (2) FISmA RA-5 SC-18 SA-11 SI-2 ISO 27001/27002 12.4.1 12.4.3 12.5

Wall 2.6

Wall 1.2

pCI/dSS 4.2 Requirement 5 SOX A13.2 DS5.9 DS5.10 DS5.11 GlbA 16CFR Part 314.4, (b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-4 SC-7 SI-3 SI-8 ISO 27001/27002 10.6.2 10.8.4 10.10.1 10.10.2 11.4.6 15.1.5

Wall 4.3

pCI/dSS 11.3 SOX A13.3 GlbA 16 CFR Part 314.4 (c) HIpAA 164.308(a)(8) FISmA RA-5 SI-2 ISO 27001/27002 12.6 15.2.2

Wall 6.1

Wall 4.4

pCI/dSS 6.3 SOX A12.4 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.303(a)(1)(i) FISmA RA-5 SA-11 SI-2 ISO 27001/27002 12.6 15.2.2

Wall 2.7

Wall 1.3

pCI/dSS 6.3.7 SOX A12.7 A12.8 DS7 HIpAA 164.308(a)(3) FISmA SA-11 SI-2 ISO 27001/27002 6.1.8 8.2.1-2

pCI/dSS 6.6 SOX A13.2 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-4 SC-7 ISO 27001/27002 10.6.2 10.10.1 10.10.2

Wall 3.1

Wall 2.1

pCI/dSS 10.6 11.4 SOX A13.2 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.306(a)(2) 164.308(a)(1) 164.308(a)(6)42 FISmA SI-4 AC-2 ISO 27001/27002 10.6.2 10.10.1 10.10.2 10.10.4 15.1.5

pCI/dSS Requirement 5 10.6 SOX DS5.9 GlbA 16CFR Part 314.4 (b) & (3) HIpAA 164.306(a)(2) 164.312(a)(1) 164.308(a)(1),(2) & (6) 164.310(c) FISmA SI-3 SI-8 SC-18 AC-2 ISO 27001/27002 11.7.1 11.7.2

Wall 3.2

Wall 2.2

pCI/dSS 11.1 SOX A13.2 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-18 ISO 27001/27002 Same as Wall 2.1

SOX A13.2 DS5.3 DS5.4 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.306(a)(2) 164.308(a)(1),(2) and (6), 164.312(a)(1) and (d) FISmA SI-4 AC-3 AC-4 AC-17 ISO 27001/27002 10.6.2 10.10.1 10.10.2 15.1.5

pCI/dSS 2.2 6.1 6.3.1 SOX A13.3 DS9 HIpAA 164.308(a)(1) 164.310(b) & (c) FISmA CA-7 CM-1-4 CM-6 CP-10 Wall 6.2 SOX A13.2 DS11.2 DS11.4 DS11.6 PL-3 SA-4 SA-10 SI-2 HIpAA 164.310(d)(1) 164.312 (a)(2)(iv) ISO 27001/27002 10.4.2 10.10.1 FISmA MP-4 MP-6 12.4.1 12.5.3 12.5.2 12.6.1 ISO 27001/27002 8.3.2 10.7.2 Wall 5.1 10.10.1 11.7.1 12.4.2 15.3.1 pCI/dSS 8.5 10.1 Wall 6.3 SOX DS5.3 DS5.4 pCI/dSS All sections SOX DS7 DS8 HIpAA 164.312(a)(1) and (d) HIpAA 164.308(a)(3) FISmA AT-3 FISmA AC-3 AC-17 AU-3 IA-2 ISO 27001/27002 6.1.8 8.2.1 8.2.2 IA-4 IA-5 ISO 27001/27002 10.9 10.10.1 Wall 6.4 11.2.3 11.5.2 pCI/dSS 12.6 SOX DS7 DS8 GlbA 16CFR Part 314.4 (b) & (1) Wall 5.2 HIpAA 164.308(a)(5) pCI/dSS Requirement 3 SOX A13.2 DS5.8 DS11.2 DS11.4 FISmA AT-2 AT-4 ISO 27001/27002 8.2.2 DS11.6 DS13.4 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA AC-3 CP-9 MP-4 ISO 27001/27002 10.5.1 11.7.1 12.3.1 12.3.2 15.1.6

pCI/dSS 10.1-2 10.5-6 10.7 SOX DS5.5 DS13.3 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.308(a)(5) 164.312(b) FISmA SI-4 SI-11 AC-7-8 AC-11 AC-13 AU-2-4 IA-2 ISO 27001/27002 10.10 11.5.2 11.5.4 12.2.1 12.2.4 12.4.2 12.6.1 13.2.3 15.1.3 15.3.1

For hands-on courses covering how to make many of these technologies effective, see www.sans.org
Too many organizations try to get compliant and then figure out how to get secure. Constantly evolving threats drive the need for a layered approach to security. Constantly growing regulatory requirements create the need for compliance. Dont spend your money twice. The SANS WhatWorks program lets you learn from actual users of security products. Start your search at www.sans.org/whatworks to see which tools keep your organization secure and help you meet compliance standards at the same time.
You can hear users talk about how this product actually works by visiting www.sans.org/whatworks Users of this vendors products have described their successes at SANS WhatWorks Summits This chart shows where the products below help you meet specific sections of each compliance mandate.

Defensive Wall 1: Proactive software assurance

Summary: The single most effective step in thwarting attacks is to design applications and develop code with fewer security flaws and stronger security features. There are a number of mature security tools that can find vulnerabilities in software and greatly reduce the time spent mitigating those weaknesses. 1.1 Source Code and Binary Code Testing Tools and Services
These tools search through code with the goal of finding potential vulnerabilities and other security weaknesses. Since they dont require a complete software system, these tools can be used to test code during development or integration.
Ounce Labs Ounce 6 Fortify 360 Veracode Code Auditing Services HP WebDevinspect

For full information on best practices in application security, see www.sans-ssi.org 1.3 Application Security Skills Assessment & Certification
Application security managers can ensure that programmers are able to identify and eliminate common security flaws from code by using assessment tools and having outsourced programmers prove their knowledge through certification.
Assessment of Secure Coding Skills through online measurement in Java, C, and .NET (SANS GSSP Assessments) Certification of Secure Coding Skills in Java, C, and .NET (SANS GSSP Certifications)

1.2 Application Security Scanners (Black Box Scanners)

These tools detect common programming errors in Web-based applications. While tools should be part of the solution, skilled humans are the key to finding lower level vulnerabilities that more targeted attacks will exploit.
HP WebInspect IBM Rational AppScan Rapid7 NexPoste WebScarab (Free) Nikto/Wikto (Free) Paros (Free) Acunetix Web Vulnerability Scanner

Wall 6.5

Wall 5.3

pCI/dSS 10.2 12.9 A.1.4* SOX DS7 HIpAA 164.308(a)(1) & (a)(6) FISmA IR-7 ISO 27001/27002 13.2.1, 13.2.3 *Shared Hosting Providers Only

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

pCI/dSS 10.5.5 11.5 12.9.5 SOX DS5.5 GlbA 16CFR Part 314.4(b) & (3) Wall 2.3 HIpAA 164.312(e)(1) pCI/dSS 11.4 FISmA AC-19 CP-9 SI-1 SI-7 SOX A13.2 DS5.5 DS5.10 ISO 27001/27002 12.3 12.5.1 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6)42 12.5.3 15.3 FISmA IR-4, SI-4 Wall 3.4 ISO 27001/27002 Same as Wall 2.1 pCI/dSS 2.2 SOX A13.2 Wall 2.4 HIpAA 164.308(a)(1) 164.310(c) pCI/dSS Requirements 1 & 5 FISmA CA-7 CM-1 CM-2 CM-3 SOX A13.2 DS5.9 DS5.10 CM-4 CM-6 CP-10 PL-3 SA-4 GlbA 16CFR Part 314.4(b) & (3) ISO 27001/27002 10.4.2 10.10.1 HIpAA 164.308(a)(1) 164.308(a)(6)42 164.308(a)(5) Wall 4.1 FISmA AC-4 SC-7 SI-3 SI-8 pCI/dSS 11.2 SOX A13.3 ISO 27001/27002 10.4 10.6.2 GlbA 16CFR 3.4.4(c) 10.10.1 10.10.2 10.10.4 11.4.5 HIpAA 164.308(a)(8) 11.6 11.7.1 12.5.5 12.6.1 15.1.5 FISmA RA-5

Wall 3.3

pCI/dSS Requirement 3 SOX A13.2 DS5.8 DS11.2 DS11.4 DS11.6 DS13.4 GlbA CFR Part 314.4(b) & (2) HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA AC-3 CP-9 MP-4 ISO 27001/27002 10.5 12.3.1 12.3.2 15.1.6

Wall 6.6

Defensive Wall 2: Blocking attacks: network Based

Summary: Although many of the most damaging attacks will come from insiders, malicious traffic from the outside makes up the vast majority of all recorded attacks. Effective cyber defense starts with technology that makes it very hard for those external attacks to get in. 2.1 Intrusion Prevention (IPS) & Detection (IDS) 2.2 Wireless Intrusion Prevention (WIPS) IPS and IDS work together you have to detect something before you can block it. The key is to always use this technology in-line so you can easily move from detection to blocking. IDS monitors network traffic looking for the characteristics of known attacks. IPS strength over typical stateful firewalls is that IPS can recognize the content of network traffic at a high enough rate to block malicious connections and allow legitimate traffic to get through.
Sourcefire 3D IBM Proventia CISCO IPS SNORT (free) TippingPoint IPS Juniper IDP Fortinet Fortigate

pCI/dSS All sections SOX PO9 DS5.2 DS7 ME3 ME4 HIpAA 164.306(a)(4) 164.306(c)(1) 164.308(a)(1) FISmA IR-7 ISO 27001/27002 15 Compliance

2.3 Network Behavior Analysis and DDoS Monitoring

These tools look for patterns that are abnormal and suspicious, with automated alerting of patterns that might indicate denial of service attacks. Security analysts use NBA tools in a more manual mode to help tune IPS and investigate incidents.
Lancope StealthWatch Sourcefire RNA Arbor Networks Peakflow Mazu Networks Mazu Profiler Q1 Labs QRadar

2.4 Firewalls, Enterprise Antivirus and Unified Threat Management

2.5 Secure Web Gateways

Wall 5.4

Wall 6.7

pCI/dSS Requirements 3 & 4 SOX DS13.4 HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA SI-4 AU-2 ISO 27001/27002 12.5.4 15.1.5

pCI/dSS 12.9.1 SOX A13.2 DS4 DS11 HIpAA 164.308(a)(7)(i) FISmA CP-1 through CP-9 ISO 27001/27002 7.1.1 9.1.4 10.2.1 10.5.1 14

These tools monitor traffic to and from wireless networks, detect misconfigured or unauthorized access points and provide reporting and analysis for compliance.
Motorola AirDefense AirMagnet Enterprise AirTight Networks SpectraGuard Aruba RFprotect Kismet (Free)

Wall 5.5

pCI/dSS Requirement 3 SOX DS13.4 HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA AC-3 CP-9 MP-4 ISO 27001/27002 15.1.2

Security compliance mandateS

pCI/dSS Payment Card Industry Standard SOX Sarbanes-Oxley Act GlbA Gramm-Leach-Bliley Act HIpAA Health Insurance Portability and Accountability Act FISmA Federal Information Security Management Act (ISO) 27001/27002 Information Security Management Standard

Enterprise applications and Traditional firewalls do not look inside the packets but collaboration systems increasrely on information in the packet headers: ports, source ingly use HTTP as the underlying protocol. Secure Web Gateways and destination addresses, and protocol state. Next provide inbound filtering of generation firewalls incorporate traditional firewall functionality with IPS and Web security gateways (anti- malware and spyware, as well as malware such as viruses, worms, spyware, etc.). They outbound URL blocking and other forms of policy enforcement. also support techniques for applying security policy Secure Computing Webwasher regardless of which port or protocol is used.
CheckPoint VPN-1 Juniper SSG, ISG & NetScreen McAfee VirusScan Enterprise Symantec Endpoint Protection Kaspersky Open Space Security Cisco ASA Fortinet Fortigate BlueCoat ProxySG Websense Web Security Gateway Cisco IronPort

2.6 Secure Messaging Gateways 2.7 Web Application Firewalls 2.8 Managed Security Services and Anti-Spam Tools These appliances and software packages MSS ensure that trained eyes are watchSpam continues to waste productive time for millions of increasingly angry Internet users. Secure email gateways block inbound spam as well as viruses, worms and other malicious executables and can enforce outbound policy control as well for email and instant messages.
Secure Computing SecureMail Websense Email Security Cisco IronPort Symantec BrightMail Barracuda Spam Firewall MailWasher (free)

should be used in addition to strong application development security processes, particularly Web application pen testing and intense training of Web app developers. WAFs can be standalone appliances or can be incorporated into other network elements such as Application Delivery Controllers.
Imperva SecureSphere Citrix Application Firewall F5 Big-IP Application Security Manager ModSecurity (free)

Breach WebDefend & ModSecurity Pro

ing the firewalls, IPS and IDS systems, Web security gateways and even the logs from inside systems. They provide rapid analysis and quick notification. More advanced services provide automated vulnerability scanning services, give early warning, and help determine when and where to act to protect against new vulnerabilities and exploits.
BT Counterpane MSS Verisign MSS SecureWorks MSS Symantec MSS

Wall 5.6

McAfee Network Security Platform

Wall 2.5

pCI/dSS Requirement 5 SOX A13.2 DS5.9 DS5.10 GlbA 16CFR Part 314.4 (b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-4 SC-7 SI-3 ISO 27001/27002 Same as Wall 2.1

Wall 4.2

pCI/dSS 11.2 6.6 SOX A13.3 GlbA 16CFR Part 314.4(c) HIpAA 164.308(a)(8) FISmA RA-5 SI-2 ISO 27001/27002 12.6 15.2.2

pCI/dSS Requirement 4 8.3 SOX A13.2 DS5.8 DS5.10 DS5.11 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.312(e)(1) 164.312(a)(2)(iv) FISmA AC-3 AC-17 SC-23 SC-7 SC-9 ISO 27001/27002 10.6.2 11.4.2 11.7.1 12.3.1 12.3.2 15.1.6

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Defensive Wall 3: Blocking attacks: Host Based

Summary: If an attack gets through the network defenses, the PCs, workstations, and servers should be prepared to stop it or at least minimize the damage. On PCs individual protection products are being replaced by broader endpoint protection platforms that use common engines and management interfaces to provide equivalent or stronger protection with reduced acquisition and operations costs. 3.1 Endpoint Security
This includes anti-virus, anti-spyware, personal firewalls, host-based IPS, and related technologies that are installed on devices used by employees.
IBM ISS RealSecure McAfee Total Protection for Endpoint Symantec Endpoint Protection Kasperksy OpenSpace Security Cisco Security Agent

Defensive Wall 4: eliminating security vulnerabilities

Summary: Vendors sell software and hardware with vulnerabilities baked in. Your own programmers and system administrators also make mistakes. That means every user organization has the never-ending task of finding, removing and replacing the bad code or reconfiguring the misconfigured systems. 4.1 Network Discovery Tools 4.2 Vulnerability Management Actively scan networks and/or analyze
network traffic to determine what hosts are active. A second class of tool passively watches the network, constantly finding and characterizing all hosts that are active. Both can find new devices that have appeared on existing hosts that have vulnerable or infected software active.
Sourcefire RNA Tenable Network Security: Passive Vulnerability Scanner Solarwinds LANsurveyor Nmap (free)

Spring 2009 18th Edition

3.2 Network Access Control (NAC)

3.3 System Integrity Checking Tools

Checks for unauthorized changes to files. When any computer connects to the corporate Tripwire Enterprise nCircle CCM File network, NAC determines if the computer is known Integrity Monitor Configuresoft Enterprise to the network, who is using it, and verifies secure Configuration Manager (ECM) AIDE (free) configurations and patch levels. NAC should also Samhain (free) Compliance Mandates: determine if malicious software is present on an endpoint. Personal computers that do not meet the enterprise standards can be denied access until 3.4 Application Control and Configuration their configurations have been corrected. Hardening Tools StillSecure Safe Access Tests security configurations for variance from McAfee NAC standards and enforces security policy against Cisco NAC Appliance applications that are not trusted.
InfoExpress CyberGatekeeper Symantec Network Access Control Mirage Networks Mirage NAC Configuresoft Enterprise Configuration Manager (ECM) HP Business Service Automation solutions BMC Configuration Automation

4.3 Penetration Testing and Ethical Hacking

Automated penetration testing tools use multi-stage threat techniques to more closely simulate techniques used by skilled attackers. These tools go further than simple vulnerabilitiy scanning and can find more complex vulnerabilities.

4.4 Patch and Security Configuration Management and Compliance

To reduce exposure to attacks, known vulnerabilities should be fixed as quickly and as efficiently as possible. Patch management systems automatically deliver and install the correct patches; security configuration management systems automatically eliminate configuration weaknesses from weak passwords to unnecessary services.
BigFix Unified Platform Configuresoft Enterprise Configuration Manager (ECM)

These tools discover vulnerabilities and monitor the organizations progression eliminating the vulnerabilities that are found.
QualysGuard Sourcefire RNA McAfee Foundstone Foundscan nCircle IP360 SAINT Scanner Rapid7 Nexpose

Tenable Network Security Nessus

Core Security Core IMPACT Microsoft SMS and WSUS (free) Shavlik Security Suite Metasploit (free) HP Business Services Automation solutions SAINT Corp. SAINT Exploit

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

BMC Configuration Automation

Compliance Mandates:

COSEC: Compliance Through Security

& The 20 Coolest Careers in Info Security
(On reverse side)

Security first, then compliance

Defensive Wall 5: safely supporting authorized Users

Summary: Solutions in this group help ensure that authorized users are not unduly impacted by security requirements while unauthorized individuals are blocked. 5.1 Identity & Access Management
Advanced IAM systems include workflow and provisioning capabilities to make sure access controls are consistent across applications.
Courion Account Courier and others Novell Identity Manager Oracle AccessManager & Identity Manager Sun Identity Manager

5.2 Mobile Data Protection & Storage Encryption

Credit card information and other sensitive, private information would be a lot safer if it were encrypted. In addition, most breach disclosure laws do not require losses to be reported if the data was fully encrypted.
CheckPoint Pointsec PGP Mobile Encryption Credant Mobile Guardian GuardianEdge Data Protection Platform

5.3 Storage & Backup Encryption

Sensitive information has been lost on unencrypted backup tapes and through unauthorized network penetration. Encryption appliances, or backup drives with built-in cryptography, encrypt data stored on those tapes or file systems.
PGP NetShare EMC PowerPath NetApp DataFort nCipher CryptoStor

5.4 Content Monitoring/Data Leak Prevention

Content monitoring and filtering tools are used to enforce acceptable-use policies, as well as detect information leakage. They inspect local storage and internal network traffic looking for sensitive information stored inappropriately or exiting the enterprise.
McAfee Reconnex DLP Verdasys Digital Guardian Symantec Vontu DLP Vericept Protection and Monitor CAB

5.5 Digital Rights Management

DRM applies persistent security policy to stored objects, generally using encryption. DRM requires mature public key management and enterprise directory capabilities in order to be effective.
Aladdin HASP SRM SafeNet Sentinel RMS EMC Documentum

5.6 Virtual Private Networks (VPNs)

VPNs save communication cost by enabling users to access their corporate networks through low-cost Internet connections, but they encrypt the data traveling over the network. VPNs should be used in conjunction with NAC to ensure the endpoints are secure. Most new installations are SSL VPNs. Increasingly businesses are applying transport encryption to all external network connections, such as MPLS.
CheckPoint VPN-1 Nortel VPN Gateway 3000 Cisco ASA F5 Firepass Juniper Secure Access OpenVPN (free)

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

SANS is the most trusted and by far the largest source for information security training certification and research in the world.

Defensive Wall 6: Tools to Manage security and Maximize effectiveness

Summary: This area focuses on the tools that manage and improve security processes, as well as on tools needed to reduce the damage done in a successful attack. 6.1 Log Management and Security Information & Event Management
These solutions bring together data from server logs, IDS, firewall, vulnerability management, and Tools to empty all information off other tools to enable an enterprise to find out what storage media before discarding actually happened after an attack takes place. them, and to recover or disable LogLogic LX & ST RSA enVision mobile devices.
TriGeo SIM SenSage 4.0 ArcSight Logger & ESM netForensics nFX Log One Prism Microsystems EventTracker

6.2 Media Sanitization and Mobile Device Recovery and Erasure

6.3 Security Skills Development

This tool enables individuals to develop and demonstrate mastery of the skills and knowledge that are essential for their jobs.
SANS Institute

6.4 Security Awareness Training

End users cannot be trained into protecting their systems and networks, but once security staff has ensured that all systems are configured securely and networks safely protected, this training can help users know about mistakes they must avoid. Free tools that security professionals use in awareness programs:
Security Awareness, Inc. Videos: US Dept. of Veterans Affairs and US Dept. of Defense Security Tip of the Day: US AID (Users cannot sign on unless they answer a security question correctly) Monthly Security Awareness Newsletter: SANS OUCH!

6.5 Forensics Tools

When attackers do get through, enterprises need to find out what they accessed, what they damaged, and how they got in. This task is made easier through forensics tools that intelligently and rapidly study the disk images and other evidence available after an attack.
Guidance Software EnCase Paraben Enterprise Shuttle AccessData Forensics Toolkit The Coroners Toolkit (free)

6.6 Governance, Risk & Compliance Mgt. Tools 6.7 Disaster Recovery and Business Continuity GLB, FISMA, SOX, PCI, Basel, DITSCAP, DIACAP, and HIPAA
each generate enormous documentation burdens for companies, universities, and/or government agencies. GRCM tools help automate creation of necessary reports, support the update and dissemination of security policy, and provide consolidated means for tracking disparate compliance efforts.
Polivec EGS CA GRC Manager Archer Technologies SmartSuite Framework Configuresoft Enterprise Config. Manager (ECM)

The Leader in Research and Analysis on the Global IT Industry

Note: Gartners John Pescatore helped shape the categories and the thinking behind the WhatWorks poster. Selection of WhatWorks products and recorded interviews with users are entirely the work of the SANS Institute.

Bad things happen flooding, cyber attacks, bombs. Being ready to respond means having alternative sites with data and systems ready; it also means testing those recovery capabilities.
VMware Infrastructure 3 NetApp MetroCluster Symantec BackupExec HP Business Continuity & Availability Solutions

www.sans.org/whatworks
Principal Editor on Compliance Standards and Tools: Dave Shackleford, Configuresoft Contributors: Tanya Baccam, David Hoelzer, and James Tarala

Sybase Afaria Heidi Eraser RIM Blackberry Enterprise Server Dariks Boot & Nuke (free)

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

Compliance Mandates:

...and the SANS courses that help you advance. Go to www.sans.org for a full listing of courses.
How to Be Successful Tips from the Experts
InfoSec Crime Investigator/Forensics Expert
This expert always thinks there is more to learn and actively seeks out new learning opportunities. Tips: Attend training, conferences, and summits that focus on the methodologies used. Stay abreast of the latest attack methodologies. Stay ahead of the curve on the latest forensic and incident response methodologies. Be familiar with techniques that enable you to quickly analyze malware found on your network using reverse engineering, network analysis, and digital forensics. -Rob Lee, Forensic/Incident Response Faculty, SANS Principal Consultant, Mandiant INC.

The 20 coolest careers were selected by over 1,000 information technology and network security specialists who responded to a SANS survey. For a more complete picture and advice on how to make it, go to www.sans.org/20coolestcareers.

Key to SANS Courses

Control Essentials
AUD410: IT Security Audit and

#1 Information Security Crime Investigator/ Forensics Expert

SEC508

#2 System, Network, and/or Web Penetration Tester

SEC542 SEC560 SEC617

#11 Application Penetration Tester

DEV422 SEC542 SEC560

#12 Security Operations Center Analyst

SEC502 SEC503 SEC504 SEC560

and Systems

AUD507: Auditing Networks, Perimeters,

DEV422: Web Application Security Essentials

Defensible Apps

DEV541: Secure Coding in Java/JEE: Developing

System, Network and/or Penetration Tester

Combining technical prowess and solid business understanding, successful pen testers need to use outside-the-box, contrarian thinking and attention-to-detail, carefully organized action. As you analyze target systems, continually think about how to unravel their defenses and to spot weaknesses and logic flaws that other people might miss. Be thorough, documenting your methodology and results in a detailed and understandable way, so that your findings are verifiable by skilled IT personnel. When scoping work, always ask target personnel what their biggest security risk and concerns are before testing even begins. Make sure your rules of engagement and test scope are carefully crafted to minimize the chance of misunderstanding. Manually verify salient findings from automated tools to lower the number of false positives. Always present your findings in light of the business risk they cause. -Ed Skoudis, Co-Founder and Senior Security Analyst, InGuardians, Inc.

#3 Forensics Analyst
SEC508 SEC610

#4 Incident Response, Incident Handler

SEC504 SEC508 SEC610

SANS courses are hands-down the best security courses in the industry. The theory part is among the best, but the teachers practical knowledge

#13 Prosecutor Specializing in Information Security Crime

LEG523 SEC401

DEV544: Secure Coding in .NET: Developing Defensible Apps DEV545: Secure Coding in PHP: Developing Defensible Apps DEV548: Secure Coding in C: Developing Defensible Apps

#14 Technical Director/ Deputy CISO

MGT404 MGT512 MGT525 MGT414 MGT504

Information Security

LEG523: Legal Issues in Information Technology and

#5 Security Architect
SEC501

MGT404: Fundamentals of Information Security Policy MGT414: SANS +S Training Program for the CISSP Certification Exam MGT504: Hacking for Managers

Malware Analyst
Three suggestions for becoming a good one: Recognize your strengths and weaknesses. A skilled malware analyst possesses expertise in programming AND system and network administration. Build on your strengths, and develop a plan for expanding your expertise in weaker areas. Stay abreast of the threat landscape. Research new threats by reading blogs, books, and papers that discuss malware analysis techniques. Attend conferences where you can brainstorm and learn from other malware analysts. Contribute to the malware research community. Share your insights and suggestions with other analysts via mailing lists, blogs, web forums, and conferences. You will not only contribute to the communitys skill set, but also interact with peers who can share their perspectives and help you become the analyst you want to be. -Lenny Zeltser, www.zeltser.com

#15 Intrusion Analyst

SEC401 SEC502 SEC503

makes the theory real world. The icing on the

Knowledge Compression

MGT512: SANS Security Leadership Essentials for Managers with

#6 Malware Analyst
SEC5610 SEC709

cake is the hands-on sessions. I have read about the tools before, the course has given me the knowledge and confidence to use them.

#16 Vulnerability Researcher/ Exploit Developer

SEC503 SEC542 SEC560 SEC617 SEC709

MGT525: Project Management and Effective Communications for Security

Professionals and Managers

SEC401: SANS Security Essentials Bootcamp Style SEC427: Browser Forensics SEC501: Advanced Security Essentials Enterprise Defender

Security Maven in an Application Developer Organization

Development expert and security activist, you also need the skills of a programmer, security engineer and manager all wrapped up in one. To be successful, you first need to earn respect from your colleagues. It doesnt come overnight it takes time and hard work. To gain respect, you need superior security knowledge, but even that wont guarantee that others will come to you for advice. For that you need relationship-building and inter-personal skills. Finally, make sure you stay current with the latest news and trends on attack and defense techniques. Stay on top of the recent features in your development platforms, especially on security features. When others come to you for security advice, you should be well prepared and able to give them the best possible security solutions. -Jason Lam, Security Analyst, Major Financial Company

#7 Network Security Engineer

SEC401 SEC501 SEC502

#8 Security Analyst
SEC501 SEC503 SEC560

-Scott HiltS, Bruce PowerS

#17 Security Auditor

AUD410 AUD507 SEC401

#18 Security-savvy Software Developer

DEV422 DEV541 DEV544 DEV545

SEC502: Perimeter Protection In-Depth SEC503: Intrusion Detection In-Depth SEC504: Hacker Techniques, Exploits, and Incident Handling SEC508: Computer Forensics, Investigation, and Response SEC542: Web App Penetration Testing & Ethical Hacking SEC560: Network Penetration Testing & Ethical Hacking SEC610: Reverse-Engineer Malware:

The Key to Success in All 20 Careers

You can have all of the knowledge in the world and the best process and technology but if you cannot communicate and speak the language of the people you are talking with, you will be ineffective. If you send out emails or speak up in meetings and everyone just smiles as if you hadnt said anything, you are talking, but not communicating. If you work in security, the most important part of communication is to be able to effectively translate between business goals and technical risks. If you cannot explain to management why something is important, they will not fund it. -Dr. Eric Cole, Security Consultant and SANS Fellow

#9 Computer Crime Investigator

LEG523 SEC504 SEC560 SEC617 SEC427

#10 CISO/ISO or Director of Security

MGT512 MGT525 MGT414 MGT504

#19 Security Maven in an Application Developer Organization

DEV422 DEV541 DEV544 SEC401 SEC542

#20 Disaster Recovery/ Business Continuity Analyst/Manager

SEC504 SEC508

Malware Analysis Tools and Techniques

SEC617: Wireless Ethical Hacking, Penetration

Testing, and Defenses

SEC709: Developing Exploits for

Penetration Testers and Security Researchers

www.configuresoft.com

www.core.com

www.ironport.com

www.mxlogic.com

www.netwitness.com

www.qualys.com

www.sensage.com

www.sourcefire.com

www.splunk.com

www.tenable.com

The IT Security Butterfly Effect

Smarter Security Spending: Driving ROI via Proactive Testing

IronPort Web Reputation Filters

Identifying and Thwarting Malicious Intrusions

Finding and Stopping the Most Elusive Threats Using Investigator Freeware

4 Key Steps to Automate IT Security Compliance

Achieving PCI Compliance with Log Management

Sourcefire Adaptive IPS

Splunk for Security

Real-Time Compliance Monitoring