SANS 660 is being run for the first time at SANS London 2010, so I can't comment on the entire course, but I know some of the content has come from 709.

My take on the two courses are:
709 is intended for folks that want to find, created and develop their own exploits, or at least have a stellar understanding of how the bad guys and security researches do it.

660 is for those penetration testers who want to take it to the next level and understand, subvert and overcome the defences of modern systems and networks.

I really enjoyed SANS 709 and have a vastly deeper understanding of its topics from taking the course, but it's a very, very targeted group of people that really get the most of it. 660 sounds awesome and a lot less mental pain
 ;-)

My suggestion is that if you've taken SANS 560 then 660 is going to be the best course for you.

Hello crossover,

I really like the SANS IH course as it’s a great introduction to the incident handler process and from what you’re saying, I’d think this is a good starting point.

More advanced or very focus IH courses are from US CERT http://www.cert.org/ or one I’d love to take is Richard Bejtlich's course http://www.blackhat.com/html/bh-ad-10/training/bh-ad-10-training_ts.html

COm_BOY –

If you have the time, energy, resources and luck to find everything you need and then can make sense of it online, then go for it. There’s a lot of very poor information out there on the web, so paying for training that has been peer reviewed and raved about mean you get an excellent education in a very short time space. Money outlays from courses can be a problem, but as long as it’s invested wisely, it pays for itself in the long run and over the course of your career.

I really enjoyed the back track course, but even with the 60 day labs, I was under a lot of time pressure. Given the option of having six days in a class room with like-minded people over sitting at home for a month with a million real world distractions, I’d opted for the classroom. :-)

Hello delusion,

Having experience in a major company, working with a diverse range of people, systems and requirements is a dream run. You’ll get to make plenty of contacts and have actual experience of critical financial systems – both the good and the bad.

Unless you see yourself a back office guy that never interacts with clients, customers or normal human beings, I'd be jumping at the opportunity. Having a broad range of skills and knowledge, from technical to business operations, is going to be a huge plus to your experience and understanding.

Progressing your technical skills and abilities is a matter of time and focus, which you can create a personal timeline and roadmap for. I’d assume you’d have access to the bank’s security team, plus a decent training budget. If it’s a good sec team, they want to have folks from other IT teams working with them. If they see real promise in you, career paths can easily be re-directed.

I’d suggest if you did jump from being an IT manager for a large firm to a pen-tester, a large number of clients would find that pretty reassuring as the experience and understanding you’d be bring in.

Summing up – go for it! :- )

Hello H1t M0nk3y,

I hope that over the next few years there will be a ever-growing number of EH-ers with the GSE to their names.

Thanks ziggy_567, if I can help out with the ascent to the GSE, let me know :-)

Hello H1t M0nk3y,

A resounding YES to your question: Is the GSE worth the time/money/effort?

I didn't do it for the glory, fame or to get a pay rise. I did it to learn and wow, did I learn.

I’m one of ziggy_567’s generalists, pretty much focused on the defensive side, but there are some super smart offensive guys that are GSE’s, so it is up to the person taking the exam to work out the personal value. The people taking the GSE with me were a very diverse group. The only real definition I would place on them is they are all driven, seasoned security professionals with a desire to test and push themselves.

I’ve got a number of other qualifications and always on the lookout for inspiring trainers and courseware to make me want learn. The GSE is a long term goal, rather short to mid-term one, so by all means take and excel in CEH/CISSP/CISA/GPEN/OSCP/CCNA etc, but once you completed them it is great to have somewhere else to aim for, should that be the path you want to follow.

As a career advantage, it definitely helps you stand out. If you’re going for a security role and the interviewer doesn’t know what a GSE is or says about your abilities, then I’d suggest you’re applying for the wrong role. Again this is a big picture, long term career certification.

My simple analogy; this is a CCIE/MBA for the security industry that is recognised as hands on ability. SANS is market leader for corporate security education and for good reason, in my opinion, so this level of testing and certification isn’t for everyone.  Other companies may come along and offer similar levels of exams, and I hope they do, but the security industry needs to have clear examples for non-industry people to differentiate ability and knowledge.
 
I know enough networking folk to realise that certs don’t make the engineer, it’s skill, knowledge, ability and experience that do. Practical exams test those four areas, so you prove firsthand that it’s not book or braindump smarts, and that’s praiseworthy in my book. The GSE has a soft skills component, so while it is a very technical exam, being a back office, exploit-coding god without impersonal skills means you’re likely to fail. It is vital to be a good, or even great, communicator as a security professional or your message fails on uncaring ears and you fail.

Money is a big issue, but I’d say any taught education costs. Once someone else stops paying for your education, you really have to be motivated to expend time and energy never mind the money. SANS is focused toward companies and organisations willing to pay for good training, so hopefully work will pick up the tab for most of the training. If you’re doing this out of your own pocket, do what I did – apply as a SANS work study volunteer:  http://www.sans.org/security-training/volunteer.php

I hope that lots of people step up and challenge the GSE exam, to better themselves, continually push the industry to keep current and give others something to aim for being. Like anything the more people that are GSE’s the more they’ll be in demand. Cisco’s CCIE program started in 1993, considered as one of the hardest exam certifications, has over 22 thousand certified CCIEs nearly twenty years on. You decide if this is due to people want to excel and prove their skills or market demand. Or both :-)

A minor correction to your original post, there’s 29 people who are GSEs - now ;-)

It's a great course, and very different from GWAPT.

I'd offer the advice to read up on hex and packets before hand. This will help  avoid the head crushing pain of attempting to read packets in Hex on day two :-)


Laura Chappell's excellent Wireshark box would be a great pre-course read too.

That's interesting and sad at the same time, I guess there has to be rogues out to cash-in in any community by re-hashing others work. It seems his time has come Armando,well at least in the security community, to show he's not someone to trust or believe.

The twitter feeds are pretty busy calling him out to prove he's THE number 1 after he made a rather rash statement about showing he's the best and wagering one million dollars to prove he's the man.

Mr Evans has taken quite a bit of flack for the statements he's made and the obvious plagiarism. A number of podcasters are trying to talk to him about the plagiarism.  Student Hacker Information podCast - http://shitcast.co.uk/ apparently have got him on Ep 7.

Will be fasinating to see what he's got to say for himself.

The boys from Eurotrashsecurity http://www.eurotrashsecurity.eu have a few free tickets to HackInTheBox Amsterdam.

Being 11 thousand miles away from it means I'm unlikely to make it, unless someone loans me their jet for the week. So I may as well bring to the rest of European EHN members attention.

Details to win are here http://blog.c22.cc/2010/06/11/hackinthebox-comes-to-amsterdam/ and you have until the 16th to enter.

Many thanks Armando!

Really looking forward to taking your course.

It's been received terrible reviews on Amazon too.

http://www.amazon.com/How-Become-Worlds-No-Hacker/dp/0982609108

I find it sad people will buy this book only to find out it's a poor rehash of other material.

There's been a lot of chatter on twitter about the author @ligatt and #ligatt most of which hasn't been very pleasant. Out of that a few people I respect have made some damning comments about the book and author. Save your money and buy something recommended and original.

I'm very excited to have been picked as a winner and can't wait to start eLS's training. I'm truely fasinated to see how it differs from SANS and Offsec's offerings!

I'll make a humble attempt to add to Jason's and Equix3n- reviews.

Thanks Don and Armando Romeo!

Read the SANS link and break up your response in to steps in order to deal with the problem in a calm and rational way.

One possible way of dealing with a Conficker outbreak in a Windows active directory (AD) domain follow the SANS steps.

Step Two—Identification
You (as the security person) have been alerted of that there's a problem.
In Conficker's case, AD user accounts have started locking out large numbers.

First thing to do is find a machine causing the problem and examine it.
Looking in Domain Controllers event logs will show which machine(s) is causing the accounts to be locked out. 

Once you've examined the machine and determined the problem, Conficker in this case, you need to work out what Conficker does and how it works in order to stop it. Then the why, who and how the machine got infected.
For example: Was it patched? Did it have a working AV did the attack come from USB or another machine.

Step Three—Containment
You need to make the call on how to deal with the problem and get management involved. Do you go in hard and locking down the network and blocking internet access or do you quietly clean up the mess in the background? Conficker is well written, so infected machines aren't crashing and the AD locks can be scripted to be unlocked to minimise the down time effects on the staff.

Lets say you got a number of machines without out patches and no antivirus across the network and Conficker infected one of those machine from a USB drive. Scanning for infected or machines open to infection would give you a list of machines to fix and let you know how many machines are possible problems.

Quick fixes could be using group policy to turn on Xp's firewall and block port TCP 445, or force out the patches, AV and reboot machines. Searching for machines with AT1.job file and deleting that file will also slow up Conficker.
If you have a network with modern switches, drop all the infected machines on to a special VLAN that has no access to the rest of the network and fix them as and when you have time.

Someone needs to talk to the staff and tell them in non-geek terms what the problem is and how not to make it worst (e.g. ban use of USB sticks while clean up the network)

Step Four—Eradication
Clean up all the infected systems and ensure all the other computers in the network are protected from possible infection. Find any infected USB drives and clean/remove them.

Step Five—Recovery
Check everything is okay and staff can work normally again.

Step Six—Lessons Learned
Write up what happened and put it in to a time line of events and actions. Work out what you could have done better and how this could have been avoided. You may suggest regular patching is a good idea, as is restricting the use of USB drives by certain staff.

Hello Crossover,


That's a bit of a generic question to answer fully, do you have a specific incident in mind?

A great overview of the steps I've used to deal with a number of issues is from SANS
http://www.giac.org/resources/whitepaper/network/17.php
This covers dealing with incidents from start to finish.


They've also go some excellent examples of IR in their reading room too.

Mine was created from sheer annoyance.

I was attempting to open a hotmail account, way back when hotmail was new and shiny,  using my name. Hotmail merrily informed me the name was taken but I could have ChrisMohan90.

My response went something like "WHAT? 90! - bugger." and so a simple angry outburst became my new email address and eventually, forum handle :-)

My link to download the videos and PDF turned up two days after they confirmed my order.

You should get the follow up email with the download link very soon.