Anybody in the area should stop by.  There are some cool speakers from some of the bigger cons that will be here as well.   You will be able to interact with a bit more with folks which is great.  Its a smaller venue so more networking and questions.  Stop by and say hi.

This is relevant I think:
http://www.spacerogue.net/wordpress/?p=191

It is basically about the whole conversation of "We don't hire hackers".

When it comes down to it, ethics are flexible.  Mine and yours won't match up on certain issues.  There is legal and illegal, and in different parts of the world, those won't match up.  Certifying someone as ethical is like classifying porn vs art; the "I know it when I see it" concept has always been bogus. 

It all goes back to trust and risk management.  I trust that a pen tester from company X won't destroy my world.  There is a risk that he/she will, but I would have recourse in this situation.  Reputation is very important in security, and who you know is as important as what you know. 

Both, I program in c/c++/php/perl/python/ruby/lua predominantly but am not a true developer.  The reason the web stuff is harder course wise is that there is much more subtlety to what you are doing.  Do you need a ' or a " when you are doing a specific injection.  What happens when the script upper cases every command you type for command injection (unix doesn't like that much).  Those sort of things you don't have to deal with as much in the network pen testing classes.

That said, I should say if you have no programming background at all, you may find 542 even more challenging.  There are days in there to teach basic scripting, but you will be slower than your counterparts who have some very basic experience in programing/scripting.  That said, you don't have to have programming knowledge to take the course, you will do ok without it, but you will have to work harder.

Out of curiosity, did the pen testers recommend any strategic changes to your incident response procedures or any additional procedures to put in place in case this happens again ?  This is an excellent example of how having an incident response team with the proper professionals on it could have probably gotten things resolved faster.  You post this as a cautionary tale, with good reason, but it seems like there could have been some great positives come out of this that would last through a potential real attack.  Losing money is never good, but if you gotta lose money, make the most out of it that you can   I think if nothing else, some critical business points which are vulnerable to attack were exposed here.

The GWAPT test was harder than GPEN test.  Part of it is that web pen testing is about nuance where many of the things on GPEN are more straight forward.  An app is either vulnerable or it's not, where an XSS or SQL injection can look a number of ways.  We covered Nessus in GPEN, there are 4 or 5 scanners used for GWAPT.  It's the little things that will get you.  I thought the GWAPT class was harder than the GPEN class too.  I think that part of that is due to the fact that Ed Skoudis is a badass when it comes to course devel.  His courses have a great flow to them, and Ed is an excellent educator.  Kevin's class, the web app pen testing class, is very good but the information doesn't have as much of a flow to it.  It is still an excellent class, but the material that has to be covered can't really have as much of a natural flow to it. 

This is more forward than I normally am, but take 560 (GPEN) before you take 542 (GWAPT) I think, the GPEN will get you the business knowledge and the GWAPT covers more skills type things.  Once you're thinking like a pen tester business and skills wise, the GWAPT will go better.  GWAPT was a kick ass class though, and you will learn great stuff.  I haven't seen any course material out there that covers what GWAPT covers as well as it covers it.

While you don't have to learn any web programming to be a web app pen tester, you will have to learn some to be a good one.  The resources that you have listed are good, but I might try to go ahead and start working on picking up some php, javascript, etc.  

So.. good web resources:
RSnake has some great resources.  Check them out at http://ha.ckers.org/ .  Specifically check out the XSS Cheat Sheet.  I go back and reference it from time to time when folks have mostly gotten data validation done correctly but have missed something.


Samurai WTF: Samurai Web Testing Framework can be found at  http://samurai.inguardians.com/ .  This live cd distribution has many of the tools that you will want to become familiar with.  This is a pretty lightweight distribution with great tools, and is a great start

I'm sure others will post more

Well part of this is also that when teaching people to program in schools, schools haven't historically focused on things like input validation etc.  Whether it is XSS, SQL Injection, or a number of other attacks, input validation is always secondary to functionality.  It's more important than just preventing SQL Injection and XSS, as those are talked about quite a bit, but poor input validation also leads to poor data integrity.  In most cases, there should be two levels of integrity checking, one enforced at the database layer and one enforced through the application layer and allowing for user feedback and correction. 

I wish they taught more of this in school, as I think most people who learn this stuff now on the job or the hard way.

Nice interview Jason.  Great content and great subject. 

Excellent question.  I have updated my signature with my list of certifications, but unfortunately I don't have CEH.  I have only formulated thoughts based on what I know from other people and from reading the curriculum and browsing through the course materials. 

The CEH appears to be a mile wide and inch deep in some places, and a foot deep in others.  You will get a lot of exposure to the whole world of security, but very little of it will be deep enough on its own.  If you are brand new to computer security, then this course should give you a crash course in the things that you will need to know along the way.  My personal view on the course, having never taken it and only talked to others, is that this is the course that should tell you how much you don't know.   That is very valuable in that it's hard to figure out where to go until you know what information you don't know yet. 

The GCIH is a good starting point in my opinion.   This course is really 1/2 incident response, 1/2 pen testing.  The two are linked in my mind in that unless you really understand what is going on, it's hard to figure out what happened.  This course also provides a good Linux intro which will prove positive for any of the next courses you take.  Netcat, Nmap, Metasploit, and other tools are covered sufficiently that you should be able to go home and start exploring.  I already knew some coming into this class, but after this course I understood Nmap and Metasploit much better and started writing Nmap NSE scripts right after I left the course.

From here, there are 3 ways that you can go, and they each have separate benefits.  There are more than these 3 certs, but these are the ones I have so I feel like I can speak more authoritatively on them.

The GPEN starts off with the business side of pen testing and making sure you don't find yourself in trouble along the way.  The CEH covers some of the legal things as well, so the legal part isn't unique, but I think that this course does an excellent job of laying out things like scoping, requirements, business purpose and other things that are real world problems but people coming in may not think about as much.  This course goes a lot deeper into each of the different penetration testing stages and focuses on the goal of each stage and provides tools, thoughts, and some Ed Skoudis ninja skills  along the way.  You should walk out of this course of a better understanding of how to think about a pen test from a business standpoint, what types of recon you need to do, how to perform them, and a better understanding of many pen testing tools.  After this course, I went and wrote Metasploit modules and did some other fun things with Metasploit.  There is a final day capture the flag with good challenges for everyone and exposure to many technologies.

The GWAPT is the Web Application Pen Testing certification.  Many things are moving in the direction of the web and this course by Kevin Johnson of Inguardians addresses this new trend.  You should read my review of this course to find out more, but overall, if you want to get stronger in web stuff, this is the class.

The PWB/OSCP takes a different point of view.  It doesn't cover a lot of the business stuff, but instead takes the skill portion and really expands on it.  It's less formal than the SANS or EC-Council classes, but if you do well on the exam then I would think that's a good indication that you have skills that can be directly applied to network penetration testing.  It really focuses on, here are the steps, here are the tools, here is how you use the tools, and here is what you do with the output.  If you don't get those concepts by the end of the course, you will probably not do well on the final test.   The other area where this course concentrates on where the others really don't as much is explaining the how/what/why of exploit development.  This isn't something that most people will use in penetration tests.  The time when this is useful, and will really set someone apart is for some exploits you may have a working exploit that isn't written for your target platform, for instance Windows XP Home instead of Pro and you need to have it run on Pro, you should have the basic knowledge to know what you are looking for in order to make the changes to have it work.   You will probably even be able to do basic buffer overflow exploits without much problem, but you won't be able to do more of the advanced exploits.

Again, these are the certs/classes I've taken, so I can speak only to them.  Hopefully at this point you know what you will get out of each one.  I will say this, I learned a lot in each of these courses. 

I'm looking forward to taking the Cracking The Perimeter class.  My understanding is that the beginning of the next review may start off with "I have been defeated".  The informality of the PWB class made it incredible fun, and even though it was somewhat stressful, the OSCP was the most fun exam I have ever taken.  Most places you get multiple choice, with OSCP, there is no multiple choice, you either get it, or you have to try harder. 

I contribute this to two things.  As you said, many people are used to being spoon fed material and then being forced to regurgitate that material at a later time.  This course is not about that at all.  This course is about understanding the material, and applying it in context.  So, if people are glancing over the material and then going ok, where in the content can I find out how to hack a redhat box, then they will get very little out of the class.

The second thing is that while people may have learned some of the material from the course, they aren't taking the course as a whole into consideration.  This course is great for talking about looking at all of the resources you have at hand.  After having done the exercises in the class, I can say that if you are blindly trying things, you will never get but a small fraction of the content.  If you are approaching things like the course taught, and going through and doing quality enumeration and mapping, and then doing some basic googling/grepping for what you have found, then things become significantly easier. 

If you are having trouble, I recommend stepping back and re-evaluating your data.  If you don't have full scans/enumeration of the assets in the environment, you need to have an understanding of what you are working with.  Once you know what you are working with, google and grep should get you the rest of the way towards what you need. 

I appreciate your post though, as it outlines why I think this is quality material.  This course is about understanding what is going on, how to use all of the tools at hand to interrogate machines, and then once you have the resources, understand how to apply that information.  By the end of this course, you should be understanding how to apply your skills to different situations and deal with everything from scanning and enumeration to escalation.  I think that is a huge endorsement in that if you pass the exam, it shows you do have an understanding of what is going on, not that you have great memorization skills.   

Sorry for the delay in joining in.  If you know your stuff, you can ace this stuff in 60 days, and be pretty good in 30 days.  I only used 20 days of lab time before I took the test, and that was with spending a good amount of time on some of the bonus content of the course.  I finished the exercises themselves in the first 2 weeks, and had most of the extra credit points within a day or two after finishing the content of the course.  I would say that if you are strong with scripting, networking, linux and have some general understanding of basic exploitation then 60 days will be way more than what you need.  If any of those are weaker, 60 days will probably be sufficient.

Hope this helps,
Ryan

Sneakers (OLD school hacking, great movie)
Enemy of the State (not hacking as much as spy stuff)

These two are among my favorites.

If you get bored, I have some stuff on capturing challenge hashes and having fun with them in my presentation at http://www.sector.ca/presentations.htm.  Basically, if you have a static challenge for NTLMv1 auth, then you haven't really increased complexity of cracking the password by very much.  The reason for this is for NTLMv1 only the server sets a challenge.  In NTLMv2 then both the client and the server have set a challenge and so it almost makes it impossible to use any sort of time-tradeoff method such as rainbow tables to crack the password.  You are left with brute force.  The two challenges don't increase the complexity significantly over having a single random challenge, but it does mean that having control over one of the challenges will not help you much.  Turning off LM also increases the complexity of cracking NTLMv1 challenge/response as you are left having to crack a whole hash instead of with the LM portion of NTLMv1 you can perform an attack known as a half-lm challenge attack which will get you the first 8 characters of the password a lot faster, and then allow you to only brute force the last X characters of the password.  If the password is < 11 characters, the time isn't significant.  Passwords over 11 characters still require a fair amount of time, and it goes up exponentially as you add characters. 

Anyway, hope this helps some.
-Ryan

I found a bunch of sample questions on the internet and made my own quiz engine in php/mysql.  I did a 5 day course for the knowledge, and then never touched that content again.  I took the sample questions and my test thing, and got used to the feel of the questions, and picking the "best" answer (which is always the one that makes sense in the business context). 

After that, I took the test.  I ended up taking the test about 1.5 months after i took the 5 day course.  I finished in about 2 hrs, then went to take a nap in the car while my friend finished.  I had no idea how I did, and I didn't go back and check any answers. 

So.. my feelings are something like this:  You will walk in knowing a certain amount, but not everything.  If you are used to answering the questions with the "best" answer, about 3/4 of the questions you have no idea about you will probably get right.  If you over think it, you will probably miss it if you have a deep knowledge of security topics. 

Check out:
http://nopsr.us/


I haven't competed in the finals at DefCon, I did the qualifiers this year with some folks from Midnight Research Labs.  I gotta say, win, loose, or draw it was a lot of fun.  I hope to do the qualifiers again this year.  I have been working on my RE/Exploit skillz, but I'm not sure I know I have ways to go.