Thanks cd1zz. That's my issue, can't use Offsec labs at work (not until I get separate internet connection for my lab so I can connect to their VPN), and don't have time when I get home. At least not yet. That's why this one keeps getting delayed, which is too bad because it seems to be rising in demand quite rapidly.

He's trying to sell the new Trend Micro Android software http://us.trendmicro.com/us/products/personal/mobile-security-for-android/

It's not confusion, it's just plain marketing FUD.

I did not mean to state that EC-Council created the term, simply that todays definition of what it means stems largely from their marketing efforts. The article you posted was a good read, thanks for the link Don. It did mention that these ethical hackers reported on vulnerabilities and developed remediation plans, but it is my stipulation that a good penetration tester goes a step farther and correlates the verified vulnerabilities to business risk. Without a compelling reason to resolve the vulnerability, there is little incentive to do so. You have to show the impact.

There is no authority on this subject currently that can clearly define these terms for us. That's just my personal definition. I'm fine if you disagree but that doesn't change my opinion. I will contend that I usually don't include a remediation plan within my definition of ethical hacker either, but IBM clearly did.

Anyone else going? I'd love to meetup with other folks from the forums. I'll be facilitating again (My 5th Orlando SANS, I really need to make it to another city one year) and I think they have me working the registration desk this year. I'm taking SEC542 http://www.sans.org/security-training/web-app-penetration-testing-ethical-hacking-4382-tid and SEC580 http://www.sans.org/security-training/metasploit-kung-fu-enterprise-pen-testing-1472-mid if enough people sign up.

This was so awesome I had to post it

http://whatthefuckismyinformationsecuritystrategy.com/

I really like http://www.packetstan.com/ for packetfu. The authors Mike poor and Judy Novak are also course authors for the GCIA course.

You could probably self study the GCIA if you used the right materials. I'd probably start with TCP/IP illustrated vol 1 and the Wireshark Network Analysis book by Laura Chappell. Richard Beitlich's Tao of Network Security Monitoring would be good as well. You will want to get familiar with Snort and also download the TCP/IP cheatsheet at http://www.sans.org/security-resources/tcpip.pdf

Many many questions will require that cheatsheet so get it for sure.

The certification objectives are at

http://www.giac.org/certbulletin/gcia.php

I also used the following cheatsheets:

http://packetlife.net/media/library/8/IPv6.pdf

http://packetlife.net/media/library/12/tcpdump.pdf

http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf

http://packetlife.net/media/library/23/common_ports.pdf

as well as printouts of the manpages for p0f, tcpdump, tshark, tcpreplay, snort, and other related tools

I also used the http://www.sans.org/security-resources/idfaq/oddports.php list of well-known trojan ports and you may find other good resources at the SANS intrusion detection FAQ http://www.sans.org/security-resources/idfaq/

There's also tons of good IDS papers in the SANS reading room and I found some good resources at http://www.whitehats.ca/main/members/Seeker/ which is Guy Bruneau's page there. he wrote parts of the GCIA course as well. he also wrote this post at SANS on installing SGUIL http://www.sans.org/security-resources/idfaq/slackware.php

I could probably keep posting various links on barnyard, acid and other topics but this should get you started. Like mentioned before, the poractice exams are a very good indicator. I would personally recommend taking the course though. it's really good and if you go the volunteer route at SANS you can attend a conference, get 4 months of ondemand and the cert for only 800.00.

Exactly. SANS has a cyber guardian program that lays out their roadmap for blue team and red team members, obviously using SANS courses since that's their business. 

http://www.sans.org/cyber-guardian/

I haven't done this program yet as I still require 2 of the baseline skills certs and 1 of the courses but I tend to focus more on red team activities. (took Sec504 but didn't sit for GCIH, and never took the SEC508 or GCFA exam) The bonus here is that  completion of this program also qualifies you for the GSE exam. I'm determined to get there one day, but if you focus only on red team types of skills I think passing the practical for GSE may be a bit difficult. We have a few GSE's on the boards who could probably talk more about that if you are interested. I know I am.

Which is why I haven't done it yet myself. When I get home from work I have a limited amount of time since I work fairly long hours, have an hour-long commute one way (which is great for listening to security podcasts btw), wife and 2 small kids (infant and toddler) and am finishing up my B.S. degree this semester that I procrastinated on forever. Oh and working a 2nd job too as a consultant for a state agency doing security research but there's no set hours (usually log 10 to 15 hours a week) and I work from home on that one.

I can do a lot of this kind of stuff during work hours but they have not accommodated all my lab requests yet, including a dedicated cable modem, but I'm hopeful this can happen soon. Allowing me to VPN from our network to the Offsec network will not be happening, EVER. And honestly that's how I want to keep it.

I typically spend about 5 to 10 hours a week on developing skills in my lab. Would that be sufficient or would I likely need more time than that? I could probably shift things around and get another 10 hours in over the weekend if I had to, but probably not every weekend.

@sephstorm

Are you asking what the -g switch does? It let's nmap set the source port which is why that scan result shows it open. I'm assuming scans without the -g set are showing it filtered or closed.

I took it via SANS OnDemand and did the cert in spring of 2010. It's a fantastic course/cert. What do you want to know?

In a nutshell (I've taken all 3 but did not sit for the GCIH exam):

GCIA - deep dive into packet analysis, hex math, intrusion analysis, yum. This is a blue team course. You will walk away seeing packet dumps in your head and tcpdump switches embedded on the inside of your eyelids.

GPEN - network pentester skills - this is a red team course. It does cover pentest methodology but differs slightly from GCIH in that things like maintaining access and covering tracks are not covered (typically not part of a pentest). Awesome course, take it with Ed Skoudis if you can.

GCIH - responding to attacks, understanding black hat mindset, and some nifty tricks for incident detection and response. Incident handling methodology is covered as well. this is a blue team course.

The link is to a pdf document so you'll need a reader installed but I have no problems opening from the link on multiple machines.

I agree with what Andrew said, but sometimes it's beneficial to see an example. Here's the IT Security strategic plan for the state of Florida.

https://aeit.myflorida.com/sites/default/files/files/2010-2012%20Florida%20Enterprise%20Informaiton%20Technology%20Security%20Strategic%20Plan.pdf

Obviously it's geared towards providing security services at the state level but it may give you some insight as to how one possible format works.

I would caution you against copy and pasting this or any other plan though. You need to develop and document a strategy that makes sense within the context of your organization. Even within the same industry, management priorities and strategy may vary wildly. You may want to request a copy of the business strategic plan so you can develop an IT plan that supports those objectives. That's what I did when I created the security plan for my organization and it's likely what your organization is going to want to see. IT has a role in supporting business operations, not just existing for its own sake. You have to draw those lines of connection and show how you will support those business initiatives. Also keep in mind that typical business strategic plans are 3 to 5 year timelines. That is just not feasible for a technology oriented strategic plan. The landscape changes too quickly. 1 to 2 years seems to be a good target, or possibly 3 but that's pushing it. Good luck!

Thanks hell_razor. I was trying to figure out how to accomplish this via SMB null sessions other than user2sid and somehow missed the NMAP script option. I'll have to give that a try sometime.

I'm curious what a web server is doing if it can't be reached on port 80 (or 443, 8080, etc).

Is this a public facing web server?

Is this a network firewall or host firewall on the web server itself?

If the intent of the firewall control is to block all external connections to this webserver (assuming this is for internal usage only) then allowing a connection coming from port 80 means that an attacker can bypass your firewall rules and interact with the webserver as if it were external facing as long as he adjusts his source port to 80. There's no 1 specific exploit that we are talking about here. Any attack that can be leveraged against a web server could be utilized. If my assumptions are correct and it's for internal usage only, is there a reason why it's publicly addressable? Or maybe there's a forwarding rule on the firewall? If it's not internal. then why the heck aren't you allowing web traffic to the box?

You can certainly configure your firewall to drop all connections to that box if you so choose.

I'm not crazy about the idea of trusting Spiceworks to use my information responsibly. Why engage in a trust relationship unless you have to? I'd rather install an application that is used internally that doesn't phone home to anyone. Having their privacy policy tell me they won't share the information with anyone is not enough. And if you read the privacy policy they do state:


You may want to have a look at the trust metrics portion of http://www.isecom.org/osstmm/