All,

This goes out to all the Euro EthicalHackers.net folks out there

Just seen a tweet from the @Eurotrashsec guys, a European podcast, offering up a ticket for BruCON in Brussels, Belgium.
http://2010.brucon.org/index.php/Main_Page

I'm in the wrong part of the world to go, but it sounds like a great event and even better if you're not paying for it

The boys are on iTunes or you can find them here http://www.eurotrashsecurity.eu/index.php/Main_Page

If you win, I'd love a review to be posted ;-)

Nice work Ketchup!

The challenge was fun, apart from load times.
The lag is an absolute killer of us at the bottom of the world. Load time of over 10,000ms per object, so can't complete stage one to get away from the loonies and get some peace to go for gold :-(

Hello delusion,

Chrisj offers a very sensible approach to your issue. I'll add that talking to your boss is a good way to go, but go in with a thought out plan first.

If you walk in without a plan or with a negative attitude, then you've leave the meeting unhappy and the boss will start to worry about you.

I've had people walking in a tell me their jobs stinks and they hate what they do and so on. I then ask what do they want to do and how they see this working for the company in the role they are in. The people with reasonable solutions on how to change things tend to be the ones that actually make changes happen. The people with no clue just get more unhappy and angry.

Write down 3-5 points on what your issues are and how they could be addressed. These have to fit in with your current job and what the company is willing to pay you for. Talk through your points with a friend or someone who's been a manager to get their view on your request, as that can help you think through what you are asking.

Sit down with the boss and be polite, answer his questions and if he blows you off, you'll know where you stand. Never get angry, rude or dismissive about your current role - just point out it's not where you'll like to see yourself in the next few years.  

As an example, suggest that you'll self study the Windows 7 course from books and then take the exam. Ask if you study and get the Ms cert, can the training funds be used for another course. That's when you present your prefer training and what it will do for the IT team/company.
They must think the Win7 training is important, so learn and pass it. Hopefully both sides win.

If they do just blow you off, remember it's easy getting another job while employed. Make sure you have a job before throwing any towels around :-)

@Equix3n-  Always one to acknowledge when I'm wrong - well, most of the time ;-)

ChrisJohnRiley of www.eurotrashsecurity.eu has done a small podcast Marisa Fagan of InfoSecMentors.

They discuss people that aren't able to get to the events in the US and how they hope to grow the program.

Well worth a listen to understand the program and what it or you can offer to the ITSec industry.

I've heard a few well known security people asking for copies to review, so I hope to have some indication of the material one way or another very soon.

If someone in the forums get a copy and reviews it, I'd be interested in their thoughts.


Happy to be proved wrong about my feelings on what this is going to be like :-)

I'd like to know if I had a massive hole in my external network before it becomes "managed" by someone esle ;-)

You may want to contact a trusted 3rd party like the SANS Internet Storm Center and ask them to inform the company. If they can't help they may be able to point you in the right direction on whom to report this to.

http://isc.sans.org/contact.html

Worth a shot and then at least you've tried.

Hello Artholm3,

I'd have to say it depends :-)

These (OSCP, eLearning, GPEN) courses are targeted at teaching specific skills, thus specific, specialised roles in a company. Having these skills/certs is great but they have to fit in with an employer’s need for them to be required, thus having HR identify what they  are in the first place.

If you're looking at working in normal company with no or minimal security skills, planning or direction, the only qualification the HR staff will recognize is the CISSP or CISM/CISA, as Ketchup mentioned. These have no hands on components but are seen as industry “standards” for security. They may even just look for OS skill sets with the word security tacked on the end or a certain vendor (Cisco/Juniper/etc) certs.

The security specific company should know, or at least check, what different security certs are. The certs with solid hands on experience proves a certain level of understand and ability.  I’ve seen CV’s with certs I’ve never heard of, but after a quick check I know whether to say “Wow!” or “hmmm”. As new courses/certs appear, they either become adopted in to the industry after a while or disappear.

If you’re looking for the right training to get your dream job, hit the job web site and find similar roles. They be asking for certain skills, training and knowledge, so flip that to a course and you’ll be one step closer to get that job!

My take from that and a bunch of tweets bouncing around is to get a really solid match, being there is what will seal the deal. Knowing who you are and what are after will making the pairing up work. Picking names from a hat, is never quite as good for either party.

I think this is a brilliant idea, but still those who are physically at the events will get at truly marvellous opportunity.

I hope it spreads to other events.

Honestly, $25 spending to "become the world's no.1 hacker" seems some what outlandish to boast. The fact there's no reviews on Amazon or blogs post about it says volumes to me.

I'd spend the money on a book rated by decent security professionals who are well known for the teaching abilities.  Or save it up to later sign up for the any number of excellent on-courses.

Have a look at some of his videos and compare them to anything by John Strand, Muts or mubix. I know who I'd want to learn from ;-)

Looks like an amazing opertunity. Shame you have to be in the USA and at those events to be part of it.

:-(

Avoid the book and just buy the tee-shirts! :-D

Google the author and then make up your own mind whether to buy the book or any of their services.

I'll avoid this one and get something a bit more realistic.

Excellent demo and explanation for how they did it and the mindset they used to work into the environment. Some great work and clever thinking.

What I take from it, from the defense side, is that some simple, good practices would have stopped the attack in its tracks.

As an example, if the servers weren't allow outbound access to any locations, the tunneling would have failed. Simple controlled egress filters would have successful "saved" the target from being exploited in this way.

Hello Armando,

I really enjoyed reviewing the course demo on SQL injection, it is nicely put together, very clear and flows well. I think I learnt a couple of words in Italian too!

I can believe your course is different to both SANS and Offensive Security's offering, my trouble is pitching those differences to management so they can understand and sign off the training.

My process is to do a brief summary of a course I'd like to take and note the key points of what I expect to learn and be able to use in my job after the training. Sadly, my boss is pretty astute and would notice the similarities of the course structures to the other two.

The Web application security course is a much easier sell as it is a specialization and therefore more focused on providing particular skills. Plus it fits in with current buzz about web 2.0 the CIO likes to mention in meetings :-)

I'd love to take this course at some point, as I'm a firm believer in great training makes me excited about learning and understanding different approaches while still developing my knowledge and skills. Perhaps I'll pitch it to someone else when my boss is next on leave for a month ;-)

I wish you and the team great success with the course as quality training such as this creates better security professionals and that's no bad thing for the industry.

Hello Alwin,

Great work on passing the GCIH!
It's amazing how that exam deadline sneaks up so fast :-)

It's a fantastic course and the skills from it really do help with situations in the real world. They've saved my backside a number of times!

Have you got plans to take any more courses or exams this year or are you going to take a well deserved rest?

If you lock SSH down to the server making the connection to only a defined and audited list of servers, that satisfies most compliance and audit requirements.

Deny root/admin from using SSH and only your server can initiate the SSH connection, that should get you all the ticks in the right boxes :-)