By Brandon Harms, CISSP, CCNP, FCNSP, et al

A quick review of the Bureau of Labor Statistics Occupational Outlook shows us that ethical hackers will be in higher and higher demand over the next decade. With this demand, the need for a supply of highly qualified and professional information security personnel increases. The supply of highly qualified and professional personnel can only be created by organizations that can train and mentor them en masse, or rather, a large quantity of them relatively quickly. For ethical hackers the training material must be relevant, organized, and able to lay down the foundation on which one can build with real world experiences. More importantly, the delivery of said material must be engaging and from a respected source.

I recently traveled, metaphysically anyway, to the underground bunker in the Black Hills of such a source. The purpose of my journey was to interview SANS instructor, PaulDotCom staff member and Professor, John Strand. John has a unique background working with the government, commercial, and consulting industries prior to teaching that gives him insights into the art, learning path, and career outlook of the ethical hacker. During the week of the interview I sat through the SANS vLive! course, “Metasploit Kung Fu for Enterprise Pen Testing,” and I was impressed not only with the material but more importantly, as emphasized above, the delivery of the material.

del.icio.us

Discuss in Forums (2)

We Have a Winner!!

Time to step it up. Long time member of the security community and friend of EH-Net, Joe McCray of LearnSecurityOnline, gets you out of PPT hell and into a highly secure lab environment for 5 days of intense training. The winner of the free seat in his course to be held 13th - 17th December 2010 just outside of DC is long time member Jason. Congrats and thanks for the continued contributions to the community over the years.

Advanced Penetration Testing (APT): Pentesting High Security Environments is a five-day intensive course that focuses attacking and defending highly secured environments such as 3-letter agencies, DoD, financial organizations, federal organizations, and large companies. This is NOT your normal Ethical Hacking course. You won't be attacking unpatched Windows 2000 Servers, and you won't be learning a bunch of outdated tools. In APT, you will be learning how to attack new OSs such as Windows Vista, Windows 7, Windows Server 2008, and the latest Linux servers. All of these servers will be patched and hardened. Both Network and Host-based Intrusion Detection/Preventions systems (IDS/IPS) will be in place as well. The learning curve is high, but the rewards are astronomical. Over 80% of class is hands-on hacking labs. It is however primarily designed for Network/Web Application Penetration testers that are looking for the little tips and tricks that will help them better attack high security environments.

Joe and I have worked out an even better deal. EH-Netters get a $500 discount! At only $1500, this course is a steal. Click here now to reserve your seat. Full course description can also be found at the link provided.

del.icio.us Discuss in Forums (18) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Book Review by Andrew Johnson, CISSP, CISA, GPEN, et al

Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide was written by Laura Chappell, a name that should be familiar to even the most casual Wireshark user. She is without a doubt the most well-known Wireshark trainer and has many years of experience producing and delivering Wireshark training. All of that knowledge and experience has culminated in this definitive resource.

The most important thing to do when considering purchasing a book like Wireshark Network Analysis is to understand what it is, what it isn’t, and adjust your expectations accordingly. Given the vast breadth of material this book covers in its 700+ pages, it is impossible to be an authoritative resource on everything it touches upon. It is first and foremost a book written specifically for the Wireshark certification, and it covers the Wireshark application inside-and-out. This book also does an excellent job of introducing network analysis in general and explains key aspects of many common network protocols. However, it is not a comprehensive guide on all those topics (but isn’t that what the RFCs are for anyway?).

del.icio.us

Discuss in Forums (2)

Review by RichM

“Dissecting the Hack: The F0rb1dd3n Network, Revised Edition” by Jayson E. Street, Kent Nabors and Brian Baskin is not intended for the average reader of The Ethical Hacker Network, and this is what makes the book so intriguing.  The forward specifically points out how hard it is to speak with management about security, and how lost they get. It even comes complete with an explanation of the “glazed over eyes.”  Talking with decision makers is a topic often overlooked, and something that needs to be explored and dissected.  At the end of the day, no matter how great you think your idea is, if you don't get management buy-in, the idea dies and you are forced to re-bury your department's head back in the proverbial sand.

del.icio.us

Discuss in Forums (3)

Review by Jon Janego

What does the average security professional know about wireless technology, and wireless security in particular?  Sure, it’s easy to pwn WEP... but unfortunately, this is the extent of most people’s knowledge.  Many security testing firms even view wireless security as an “afterthought” or a separate practice entirely.

With the second edition of Hacking Exposed: Wireless, Johny Cache, Josh Wright, and Vinnie Liu aim to teach us all that there’s a lot more to wireless security than WEP cracking.  For those who follow the wireless world, the names of these three should be immediately familiar.  Josh and Johny, in particular, have long been known as thought leaders in the wireless security space and have written or contributed to many of the tools and research used in the field.  And with this fully revised and expanded edition of the book, these three great minds have come together, and the end product is an excellent book that covers some of the most cutting-edge technology while remaining very readable and down-to-earth.  It’s a book that deserves space on any hacker’s bookshelf.

del.icio.us

Discuss in Forums (3)

This year I had the opportunity to take a few stellar instructor-led training courses, one of which was Joe McCray's "Advanced Penetration Testing: Pentesting High Security Environments" course from his training entity LearnSecurityOnline.

Since I'm already doing pen testing full time I feel like it's a tremendous opportunity to see what techniques other testers use. I'm definitely not arrogant enough to think I know everything, but I do know Joe is tremendously skilled and has many more years "in the game" than I have. What an opportunity for me to learn from the best.

Joe's class is presented as higher level pen test course. There are no real introductions into pen testing theory, tools, or syntax. APT is largely comprised of labs and demos. The course also has a very unique structure. It comes from the mindset of attacking from the outside (web) and pivoting through the DMZ to the LAN. There is a lot of emphasis on stealth, persistence, and evasion. Even if your testing isn't scoped this way it is a powerful ability to be able to show your clients how one seemingly innocuous web flaw can lead to network disaster. Regardless, I found that this class was beneficial even to those that separated web and network scopes.

This review covers the course offered in conjunction with Black Hat Training at the venerable annual event in 2010 and will take a detailed look at the 2-day agenda, coverage of the 5-Day version of the course, thoughts on presentation and technical content, conclusions made as well as modest recommendations.

del.icio.us

Discuss in Forums (7)

We Have Winners!!

We often talk about the foundation one needs to become a security professional and perhaps eventually an ethical hacker. Most who have ventured into this or an associated field have come from one of a few areas: systems admin, programming or networking. So to ensure that you have the networking portion covered, we offer up this month's prize of video training for Cisco Certifications from long-time training provider, CareerAcademy.com. Of course be sure to check out their security video training titles as well including CEH, CISSP, Security+ et al.

To the 2 deserving members this month goes CareerAcademy.com's latest Cisco Authorized Video Training Library. EH-Net members H1t M0nk3y and Dark_Knight each get 3 months of unlimited online access to all of the following Cisco® training programs (list below). Congratulations to you both. 

del.icio.us Discuss in Forums (14) Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie... quality is more important than quantity. Only members are eligible! Registration Is FREE!

Tutorial by Wardell Motley

Maltego, developed by Roelof Temmingh, Andrew Macpherson and their team over at Paterva, is a premier information gathering tool that allows you to visualize and understand common trust relationships between entities of your choosing. Currently Maltego 3 is available for Windows and Linux. There is also an upcoming version for Apple users that has yet to be released.

Information gathering is a vital part of any penetration test or security audit, and it’s a process that demands patience, concentration and the right tool to be done correctly. In our case Maltego 3 is the tool for the job.

In this article we explore Maltego 3 and examine its fundamental features and a little hands-on with the newly designed version. If you haven’t already had a chance to upgrade to or pick up Maltego 3 you are missing out.

del.icio.us

Discuss in Forums (3)