Interested in learning more about security? What is Code Red Worm? Copyright SANS Institute Author Retains Full Rights



Similar documents
The Mechanisms and Effects of the Code Red Worm

Interested in learning more about security? The OSI Model: An Overview. Copyright SANS Institute Author Retains Full Rights

Easy Steps to Cisco Extended Access List

How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study

Security Awareness Training and Privacy

Introduction to Business Continuity Planning

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Using Windows Update for Windows XP

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

Using Windows Update for Windows Me

Security Applications of Bootable Linux CD-ROMs

Malware: Malicious Code

Introduction to the Microsoft Windows XP Firewall

The GSM Standard (An overview of its security)

Computer Viruses: How to Avoid Infection

Test Case - Privatefirewall 5.0, Intrusion and Malware Defense

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

INFORMATION SECURITY

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Worms, Trojan Horses and Root Kits

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

netforensics - A Security Information Management Solution

Interested in learning more about security?

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

HoneyBOT User Guide A Windows based honeypot solution

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Penetration Testing Report Client: Business Solutions June 15 th 2015

Distributed Scan Model for Enterprise-Wide Network Vulnerability Assessment

CS574 Computer Security. San Diego State University Spring 2008 Lecture #7

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

WORMS HALMSTAD UNIVERSITY. Network Security. Network Design and Computer Management. Project Title:

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Cisco IPS Tuning Overview

IMS-ISA Incident Response Guideline

Symantec Advanced Threat Protection: Network

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Protecting the Infrastructure: Symantec Web Gateway

ESET SMART SECURITY 6

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

1 Introduction. Agenda Item: Work Item:

CS549: Cryptography and Network Security

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

Cisco Advanced Malware Protection for Endpoints

Network Incident Report

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Networking for Caribbean Development

Interested in learning more about security? Why Bother About BIOS Security? Copyright SANS Institute Author Retains Full Rights

Current counter-measures and responses by CERTs

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

ESET NOD32 ANTIVIRUS 8

Lecture 15 - Web Security

Top Ten Cyber Threats

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CSE331: Introduction to Networks and Security. Lecture 14 Fall 2006

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Using Tofino to control the spread of Stuxnet Malware

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Symantec LiveUpdate Administrator. Getting Started Guide

The Value of Vulnerability Management*

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Network Monitoring Tool to Identify Malware Infected Computers

E-BUSINESS THREATS AND SOLUTIONS

Shellshock. Oz Elisyan & Maxim Zavodchik

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Protecting Your Organisation from Targeted Cyber Intrusion

1 Introduction. Agenda Item: Work Item:

Computer Networks & Computer Security

Patch management with WinReporter and RemoteExec

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

An Analysis of the Capabilities Of Cybersecurity Defense

ESET NOD32 ANTIVIRUS 9

Total Protection for Enterprise-Advanced

Transcription:

Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. What is Code Red Worm? Code Red worm can be viewed as a new generation of Internet worm that took the Internet and security community by surprise. Now there exist a few versions of Code Red worm and each new version proofs to be more malicious then the original Code Red worm. This should serve as a strong motivation for businesses and corporations alike to beef up their system's defense. Prevention is much more cost effective than cure, especially for mission critical systems. A flexible, defense-in-depth strategy that allows adaptation to t... Copyright SANS Institute Author Retains Full Rights AD

What is Code Red Worm? Adrian Tham Aug 4, 2001 Internet Worm The term Internet worm brings to mind the first notorious worm, Morris Worm. A fast self-replicating worm that crippled almost 10 percent of the computer connected to the Internet in Nov 1988[14]. This worm took advantage of exploits in Unix s sendmail, and finger daemon to propagate over the Internet. Though Morris worm could only successfully attack Sun and VAX system which run on Berkeley Unix code, it has caused great damage because these machines made up a large percentage of the Internet. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 These days, most of the headlines on security breaches focus on viruses, for example Love Letter and SirCam viruses. What is a virus? A virus is a program that requires human interaction to spread itself around. A virus is usually introduced to a computer through an e-mail attachment, or from a disk inserted into a computer. A virus is different from a worm. According to RFC 1135: A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself, and can propagate a complete working version of itself on to other machines [15]. On July 13 2001, the administrators and the computer security community were given a loud wakeup call. A new worm was detected and was spreading rapidly to systems connected to the Internet. This fast replicating worm known as the Code Red Worm took advantage of a flaw in Microsoft Internet Information Server (IIS) to manifest itself. This vulnerability was reported a month before Code Red worm was discovered on the Internet. Many administrators were either not aware of the vulnerabilities existence or were not prepared for the attack. This gave rise to the mass disruption on the Internet traffic. According to CERT/CC, an estimate of more than 250,000 systems were infected in just 9 hours [2]. What is Code Red Worm? Code Red Worm, also known as I-Worm.Bady and W32/Bady.worm from Symantec Antivirus Research Center [19], is a self-replicating malicious code that exploits a known vulnerability in IIS servers. Once it has infected a system, it multiplies itself and it begins scanning random IP addresses at TCP port 80 looking for other IIS servers to infect. At the same time, the home page of infected machines will also be defaced. In addition, it does a denial of service attack on a particular IP address, previously was www.whitehouse.gov within certain timeframe, but later a variant were discovered that does not deface webpage on the infected host. Key Quoted fingerprint Information = AF19 FA27 Assurance 2F94 998D Foundations FDB5 DE3D discussion, F8B5 06E4 vulnerabilities A169 4E46 are the gateways by which threats manifest. Let s look at the vulnerability discovered in the IIS server, follow by the worm operation.

Vulnerability in Microsoft Windows IIS Index Server ISAPI extension On June 18, 2001 eeye Digital Security [8] reported that the existence of a remote buffer overflow vulnerability in all version of IIS Web server software. Using the default Internet Information Server installation process, several Internet Service API (ISAPI) extensions or dynamic linked libraries were included. One of extension mapping, idq.dll is a component of Index Server (known as Indexing Service in Windows 2000) and it provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files). The indexing server 2.0 and indexing services provide full-text search and indexing service to search data on a web server or site. Security vulnerability was discovered in idq.dll (Indexing service). The ISAPI filter Key does fingerprint not perform = AF19 proper FA27 bounds 2F94 checking 998D FDB5 on DE3D user inputted F8B5 06E4 buffers. A169 A 4E46 remote attacker connecting to the server can initiate an attack that will overflow the buffer. This will cause either a Denial of Service on the server, or introduce a code to run on the targeted server. Such code running in the Local System security context would give the attacker completes control of the server, thus enabling them to take virtually any action on the target server they chose, including changing web pages, reformatting the hard drive or adding new users to the local administrators group. The vulnerable index service ISAPI are the affecting the following systems: Microsoft Windows NT 4.0 IIS Services 4.0, Microsoft Windows 2000 IIS Services 5.0, Microsoft Windows XP beta IIS Services 6.0 beta Extensive reports can be obtained in CIAC Bulletin L-098, Microsoft Index Server ISAPI Extension buffer Overflow [1] and Microsoft Security Bulletin MS01-033, Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise [11]. Code Red Worm Operation The following lists the first version of Code Red worm operation: 1. The worm attempts to connect to TCP port 80 on a randomly selected host assuming that web server will be found. Upon successfully connected, the attacking host sends a HTTP GET request to the victim. That request exploits the buffer overflow vulnerability causing the worm to be executed on the system. The worm is not written to disk but injected and executed directly from memory. The beginning of the worm's attack packet looks like the following: GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb Key d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 8b00%u531b%u53ff%u0078%u0000%u00=a 2. Once executed, the worm checks for the file c:\notworm. If the file exists, the thread goes into an infinite sleep. If the c:\notworm file does not exit, new threads are then

created. Each thread may cause another thread to be spawned causing continually thread creation to a number of 100. 3. The next 99 threads attempt to exploit more systems by targeting random IP addresses, if the date is before 20 th of the month. 4. The 100 th thread of the worm code defaces the web server s homepage if the system s default language is US English. Firstly, the thread sleeps for 2 hours and then hooks a function which response to HTTP requests. That link is then pointed to worm code that produces the web page as shown below. The changes in the home page is not done by changing the home page in the physical disk files, but is done by the code in the memory. This hook lasts for 10 hours and is then removed. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 5. If the date is between the 20 th and 28 th, the active threads then attempt a Denial of Service attack on a particular IP address 198.137.240.91 (once was www.whitehouse.gov) by sending a large amount of junk data, 98,304 packets. 6. If the date is greater than 28 th, the worm s threads are directed into an infinite sleep. Detail analysis of the worm can be found in the following locations: URL: http://www.eeye.com/html/research/advisories/al20010717.html URL: http://www.securityportal.com/research/virus/profiles/codered.html Reported in Handler's Diary [9], second variant of the CODE RED worm has been Key captured fingerprint within = a AF19 short FA27 period 2F94 after 998D the first FDB5 was DE3D released F8B5 in the 06E4 Internet. A169 4E46 The differences are: 1. It uses Time-based randomness to select a list of target IP addresses; 2. Web page defacement has been disabled.

These changes have made the worm more effective in spreading since it does not restrict itself to a set of IP addresses. And also target user might not be aware that its IIS is under attack because there is no physical view on the infected IIS server that the worm is present. A new version of Code Red worm known as Code Red II was discovered on 4 Aug 2001, uses the same "buffer overflow" exploit to propagate to other web servers. According to eeye Digest Security, Code Red II has a different payload than the original worm [6]. 1. It creates a back door process on the infected machine by copying a command shell CMD.exe to a externally accessible location, 2. It also leaves a trojan explorer.exe on the root directory, 3. Its propagation rate has also increased tremendously. If the system is a Chinese IIS Key server, fingerprint the = worm AF19 creates FA27 2F94 600 threads 998D FDB5 and attempts DE3D F8B5 to spread 06E4 A169 for 48 4E46 hours. If the system is a non-chinese IIS, the worm creates 300 threads and attempts to spread for 24 hours. After the infection-spreading interval, the system is forcibly rebooted. The reboot flushes the memory resident worm, and leaves the backdoors and the explorer.exe trojan in place. Mitigations Online advises on how to remove the vulnerability are available in many security sources such as Digital Island, National Infrastructure Protection Center, Symantec, CERT Advisory, SecurityPortal.com. Generally using a standard anti-virus program may not be an effective solution to detect and remove this worm because the worm exists only in memory on a system and it does not write to disk. There are some free tools available on the Internet to check if the IIS is vulnerable. Such examples would be the program called FixCodeRed from Symantec that warns of vulnerable systems and scan memory to detect traces of the Code Red worm. Another such program CodeRed Scanner from eeye Digital Security. A normal system reboot will remove the worm and restore the system. However, due to the large number of infected systems and the fact that they may attack the same list of IP addresses again, there is a high chance that a system will be re-infected as soon as it reboots. An effective way of removing the threat is to locate the causes of the vulnerability. The following is a suggestion to protect the system 1. Disable.ida,.idq, and for all other script mappings that are not explicitly required by IIS and 2. Patch the.ida processor. If the system does not require the index server,.ida processing should be disabled. CIAC Bulletin L-117 has defined the steps to test a server on whether the.ida processing is Key enabled fingerprint [2]. TruSecure, = AF19 FA27 Alert- 2F94 TSA-01-020 998D FDB5 [22] DE3D lists F8B5 the 06E4 steps A169 to remove 4E46 the script mapping for.ida,.idq, and for all other script mappings that are not explicitly required in IIS. One must aware that disabling.ida should be a temporary solution until the patch can

be installed. This is because future additional Windows s component installation could possibly reactivate the.ida. Apply the MS IIS patch to remove the Code Red problem - Windows NT version 4.0: URL: http://www.microsoft.com/downloads/release.asp?releaseid=30800 Windows 2000 Professional, Server and Advanced Server: URL: http://www.microsoft.com/downloads/release.asp?releaseid=30833 Step-by-step instructions for these actions are posted at URL: http://www.digitalisland.net/codered Additional information about the patch, its installation, and the vulnerability is available Key at follow fingerprint URL: = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms 01-033.asp. Some of the Internet devices listen on port 80 may be vulnerable to the attack or denial of services due to port scan. Cisco has made patches available to remedy this vulnerability at URL: http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml Conclusion Code Red worm can be viewed as a new generation of Internet worm that took the Internet and security community by surprise. The last such attention-grabbing worm was detected 13 years back, known as the Morris worm. Now there exist a few versions of Code Red worm and each new version proofs to be more malicious then the original Code Red worm. This should serve as a strong motivation for businesses and corporations alike to beef up their system s defense. Prevention is much more cost effective than cure, especially for mission critical systems. In order to build up a bullet proof system, I would look into 3 basic concern:1) Corporate security policies 2) Security professionals practices 3) Tools to enforce security protection. When a company adopts certain software, it is unlikely to have a 100% guarantee that the software is free of flaws. Reason being that the software may contain inherent flaws that were not identified at the time it is released to the market. Proactively identifying security loopholes and enforcing the effective and timely patching of the flaws is a prerequisite to ensure the security of the system. Microsoft provides Internet Information Services checklist for the IIS users to find the available security fixes available at following location: IIS4.0 URL: http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp IIS5.0 URL: http://www.microsoft.com/technet/itsolutions/security/tools/iis5chk.asp Key It is fingerprint important = for AF19 security FA27 2F94 professional 998D FDB5 to DE3D keep themselves F8B5 06E4 abreast A169 4E46 of the latest information on new available patches released by the vendors, and what is happenings on in the security community. One way to stay current is to subscribe to security bulletins and newsletters to obtain the latest information and issues faced by other professionals on the field.

Patching this IIS vulnerability is definitely not good enough, as new worms would seek out different ways to access systems and networks. A flexible, defense-in-depth strategy that allows adaptation to the dynamic environment plus well-defined policies and procedures are required to keep the system secured. It is helpful to devise a continuous lifecycle security plan that will update security policy, practices and supporting tools to secure systems and information against future attacks. Security Bulletins Computer Incidents Advisory Center URL: http://www.ciac.org/ciac/ciachome.html Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 CERT Coordination Center (CERT/CC) URL: http://www.cert.org/nav/index.html Microsoft Security Notification Service URL: http://www.microsoft.com/security/ SANS Institute NewsBites URL: http://www.sans.org/newlook/digests/newsbites.htm SANS Emergency Incident Handler Incident.org URL: http://www.incidents.org/ Security Portal URL: http://www.securityportal.com References [1] Computer Incident Advisory Center, L-098: Microsoft Index Server ISAPI Extension buffer Overflow URL: http://www.ciac.org/ciac/bulletins/l-098.shtml [2] Computer Incident Advisory Center, L-117: The Code Red Worm, July 19, 2001. URL: http://www.ciac.org/ciac/bulletins/l-117.shtml [3] CERT Advisory, CA-2001-19 Code Red Worm Exploiting Buffer Overfolw In IIS Indexing Service DLL, July 20, 2001. URL: http://www.cert.org/advisories/ca-2001-19.html [4] Cisco, Cisco Security Advisory: Code Red Worm Customer Impact, July 20, Key 2001. fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 URL: http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml [5] Digital Island, Code Red Worm InfoSec Bulletin URL: http://www.digitalisland.net/codered/

[6] eeye Digital Security, CodeRedII Worm Analysis, Aug 4, 2001 URL: http://www.eeye.com/html/advisories/coderedii.zip [7] eeye Digital Security,.ida Code Red Worm, July 19, 2001. URL: http://www.eeye.com/html/research/advisories/al20010717.html [8] eeye Digital Security, MS IIS Remote buffer overflow (SYSTEM Level Access), June 18, 2001. URL: http://www.eeye.com/html/research/advisories/ad20010618.html [9] Handler's Diary, CodeRed II, Aug 6, 2001 Key URL: fingerprint http://www.incidents.org/react/code_redii.php = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 [10] HarshTruth, Major Alert!!! Code Red Worm, June 18, 2001 URL: http://www.harshtruth.com/warnings.html [11] Microsoft, Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise, June 18, 2001. URL: http://www.microsoft.com/technet/security/bulletin/ms01-033.asp [12] Microsoft, Hotfix for Windows NT 4.0 URL: http://www.microsoft.com/downloads/release.asp?releaseid=30833 [13] Microsoft, Windows 2000 Professional, Server and Advanced Server patch: URL: http://www.microsoft.com/downloads/release.asp?releaseid=30800 [14] Sullivan, Bob, MSNBC "Remembering the Net Crash of 88" URL: http://www.msnbc.com/news/209745.asp [15] Network Working Group, The Helminthisasis of the Internet, December 1989 URL: http://www.worm.net/rfc1135.txt [16] National Infrastructure Protection Center, Ida Code Red Worm, 17 July 2001 URL: http://www.nipc.gov/warnings/alerts/2001/01-016.htm [17] SecurityPortal URL: http://www.securityportal.com/research/virus/profiles/codered.html [18] SANS, Securing IIS Against Code Red, Jason Fossen. URL: http://www.digitalisland.net/codered/ Key [19] Symantec, fingerprint = CodeRed AF19 FA27 Worm, 2F94 July 998D 31, 2001. FDB5 DE3D F8B5 06E4 A169 4E46 URL: http://www.sarc.com/avcenter/venc/data/codered.worm.html

[20] Symantec, Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow, June 20, 2001. URL: http://www.sarc.com/avcenter/security/content/2001_06_20a.html [21] Symantec, CodeRed.v3, Aug7, 2001. URL: http://www.sarc.com/avcenter/venc/data/codered.v3.html [22] TruSecure Alert- TSA-01-020 IIS Index Server Worm, 17 July 2001. URL: http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01020_cid115.shtml Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Last Updated: August 21st, 2016 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Bangalore 2016 Bangalore, IN Aug 22, 2016 - Sep 03, 2016 Live Event SANS Chicago 2016 Chicago, ILUS Aug 22, 2016 - Aug 27, 2016 Live Event SANS Virginia Beach 2016 Virginia Beach, VAUS Aug 22, 2016 - Sep 02, 2016 Live Event SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event SANS Brussels Autumn 2016 Brussels, BE Sep 05, 2016 - Sep 10, 2016 Live Event SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event MGT517 - Managing Security Ops San Diego, CAUS Sep 26, 2016 - Sep 30, 2016 Live Event Security Leadership Summit Dallas, TXUS Sep 27, 2016 - Oct 04, 2016 Live Event SANS Seattle 2016 Seattle, WAUS Oct 03, 2016 - Oct 08, 2016 Live Event SANS Oslo 2016 Oslo, NO Oct 03, 2016 - Oct 08, 2016 Live Event SANS DFIR Prague 2016 Prague, CZ Oct 03, 2016 - Oct 15, 2016 Live Event SANS Baltimore 2016 Baltimore, MDUS Oct 10, 2016 - Oct 15, 2016 Live Event SANS Tokyo Autumn 2016 Tokyo, JP Oct 17, 2016 - Oct 29, 2016 Live Event SANS Tysons Corner 2016 Tysons Corner, VAUS Oct 22, 2016 - Oct 29, 2016 Live Event SANS San Diego 2016 San Diego, CAUS Oct 23, 2016 - Oct 28, 2016 Live Event SANS FOR508 Hamburg in German Hamburg, DE Oct 24, 2016 - Oct 29, 2016 Live Event SANS Munich Autumn 2016 Munich, DE Oct 24, 2016 - Oct 29, 2016 Live Event SOS SANS October Singapore 2016 Singapore, SG Oct 24, 2016 - Nov 06, 2016 Live Event Pen Test HackFest Summit & Training Crystal City, VAUS Nov 02, 2016 - Nov 09, 2016 Live Event SANS Sydney 2016 Sydney, AU Nov 03, 2016 - Nov 19, 2016 Live Event SANS Gulf Region 2016 Dubai, AE Nov 05, 2016 - Nov 17, 2016 Live Event SANS Miami 2016 Miami, FLUS Nov 07, 2016 - Nov 12, 2016 Live Event European Security Awareness Summit London, GB Nov 09, 2016 - Nov 11, 2016 Live Event SANS London 2016 London, GB Nov 12, 2016 - Nov 21, 2016 Live Event Healthcare CyberSecurity Summit & Training Houston, TXUS Nov 14, 2016 - Nov 21, 2016 Live Event SANS Alaska 2016 OnlineAKUS Aug 22, 2016 - Aug 27, 2016 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information