HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 38 guests and 3 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow General Certificationarrow An announcement and a question about training
EH-Net
May 24, 2013, 06:24:43 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: An announcement and a question about training  (Read 6814 times)
0 Members and 1 Guest are viewing this topic.
mmurray
Newbie
*
Offline Offline

Posts: 17



View Profile WWW
« on: December 17, 2008, 05:12:28 PM »
First, I'm announcing that I was really sick and tired of the sad state of affairs that passes for training of penetration testers these days.  So, I'm working with some friends to try and fix it.  We are launching a new class that we hope not only prepares people for certs, but actually makes them great penetration testers.

Blog post: http://episteme.ca/2008/12/17/getting-information-security-training-right/
Press Release: http://www.prweb.com/releases/2008/12/prweb1759624.htm

Now, for the question: I certainly have (a huge number of) my own thoughts on the matter.   But I want to ask, because my goal is to make a curriculum full of what is being used in the real world.

If you could add one thing that you use in the real world that is left out of the CEH/pen test classes that you have seen/taken, what would it be?
Logged
--
Mike Murray
MAD Security / The Hacker Academy

Email - mmurray@thehackeracademy.com
Phone - 773-360-0658
Twitter: http://www.twitter.com/mmurray
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #1 on: December 17, 2008, 05:55:48 PM »
Mike,

my first reaction to what is missing from pen-test courses would be 'me' can't get myself the time or resources needed to take all the courses I want  Wink

On a more serious note, it could be useful to have a module (or at least reference other sources of information) based around presenting security information to 'business' people. One thing that I always struggle with is managing to explain the latest and greatest exploit or attack vector to non-security people, most attempts result in 'that's interesting...' followed by their desire to be somewhere else.

I don't think it matters how well a penetration test or technical audit is performed technically if those in power and controlling the purse strings can't understand the risks then the right action is not going to get taken.

I can't speak for all pen-test courses (I have seen OSCP and CEH courseware material) but this isn't something that I've seen in any depth (or at all). Although from reading through some the SANs offerings this may be something that is present in their courses.

Overall I like the aspects of the course as you describe them in your blog posting, especially keep the courseware updated in line with the experiences and findings of an actual pen-test team on the front-lines.

Only issue I can see is I'm not sure how you'll be able to both keep the material upto date (you mention quarterly updates) and at the same time keep the taught material consistent between different instructors and classes (another goal you describe). To me that seems like a too frequent update cycle to keep that tight control over.

Hope you have some success, if you manage to produce a course as you describe it'll definitely be added to my training wishlist.

<minor edits for grammar/clarity, I shouldn't be posting to forums at midnight at the tail end of a 16hr+ shift  Sad>
« Last Edit: December 17, 2008, 05:58:22 PM by RoleReversal » Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
mmurray
Newbie
*
Offline Offline

Posts: 17



View Profile WWW
« Reply #2 on: December 17, 2008, 08:36:17 PM »
RR,

Awesome!  Good to know I anticipated... We're planning on the last module being about reporting to executives.

While there are some out there that are already doing some of that (and ECSA has some content on it), you nailed it - most of what's out there isn't doing a good job of actually explaining the risk to executives. 

It's something I've been working hard on myself with Foreground's pen-test team - gong from simply presenting data in the reports to actually presenting real, useful, and actionable information.

When I was on the other side, having to dig through a 100 page report to figure out that we needed to do 3 things drove me INSANE.

-Mike
Logged
--
Mike Murray
MAD Security / The Hacker Academy

Email - mmurray@thehackeracademy.com
Phone - 773-360-0658
Twitter: http://www.twitter.com/mmurray
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #3 on: December 17, 2008, 10:27:26 PM »
Quote from: mmurray on December 17, 2008, 08:36:17 PM
Awesome!  Good to know I anticipated... We're planning on the last module being about reporting to executives.

Nice, looks like you're waayyy ahead of me Cheesy
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
apollo
Full Member
***
Offline Offline

Posts: 146


View Profile WWW
« Reply #4 on: December 17, 2008, 10:41:45 PM »
A discussion of looking beyond the vulnerabilities to the business processes which allowed them to be exposed may be a positive point as well.  While it's easy to point out all the stuff that's busted, coming up with a strategic plan that will keep an environment secure way longer than the next patch Tuesday would be great.  In many of the reports that I've seen, the strategic recommendations seem to be lacking.

Another one that I haven't seen much done with is evaluating network configuration.  For instance, layer 2 attacks are still effective without countermeasures in place, so a discussion of arp poisoning, and a discussion of why those protections are important might be nice.  MITM seems to be discussed a lot recently with tools like squirtle, cain and able, beef, and middler, etc.

Sounds like a neat class.  With your skills in social engineering, I hope that makes a showing as well Smiley   
Logged
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
mmurray
Newbie
*
Offline Offline

Posts: 17



View Profile WWW
« Reply #5 on: December 17, 2008, 10:57:56 PM »
Apollo - definitely, on all 3 of those counts.  :-)

Beyond just MITM, I want to get in to a more detailed treatment of VLAN hopping than I've seen.  I just don't see anyone talking about how to use Mausezhan often enough, and that has been a particularly interesting one for me, esp. when talking about UDP.

-Mike
Logged
--
Mike Murray
MAD Security / The Hacker Academy

Email - mmurray@thehackeracademy.com
Phone - 773-360-0658
Twitter: http://www.twitter.com/mmurray
LSOChris
Guest
« Reply #6 on: December 18, 2008, 09:08:00 AM »
Mike,
I read your blog post on the course.  couple of comments but a current list of module topics would help :-)

1.  its tough to say drop all things that are "old", old stuff still works alot of the times, especially on internal assessments.  You need still need to know old stuff especially if new attacks build on old stuff or more importantly you have to link a few "issues" together to create an exploitable vulnerability for a pentest. 

2. the industry needs to stop trying to and saying the can make someone a pentester in a week (not sure how long you plan your course to be) its just not possible.  there is too much background material and no one enforces any prerequisites.  Want to make a great class. list the stuff people should know any make them take a HARD pretest.  no pass pretest, no take class. simple.  that way you can do away with a large chunk of the "old" and background material and focus on new techniques.

3. for new techniques i'll give you some stuff that I think must be covered.
* scoping pentest work; how long, many man hours, how much, etc
* pick one or several accepted methodologies (like OSSTMM) and USE it through the whole process, if you dont discuss why you dont
* documentation during and after a pentest, no one ever mentions how to log all your commands or take proper notes and screenshots and why that is important
* technology-wise need to cover; client side attacks, passing the hash, token stealing, turning sqli and xss into actionable shells versus information disclosure.

those first 3 are very much OJT and what makes the difference between junior and senior pentester but since you asked I threw it in there.

-CG
Logged
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #7 on: December 18, 2008, 10:25:40 AM »
I agree with a lot of what Chris said, although most of those topics in point 3 are covered in the SANS SEC560 (Network Pentesting course).

I still need to go read the blog regarding the course, but as Chris mentioned I think a list of topics would be helpful to properly compare to the others. Especially if you're directly comparing to CEH as the follow-on courses include different material.

BillV
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.067 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.