So I made my way through but now I want to keep improving but I like to do that with some applicable projects.  Any suggestions?  I was going to look at the API projects there on Codecademy, I was also going to make my way through the Violent Python book.

It is a very general question and doing a google search for rootkits backdoor trojan might send you in the right direction.  Metasploit could be a good resource but you need to know how to work your way through it.  Also what type of rootkit?  Master boot record?  The rootkit is typically used for persistence as it tends to sit below where traditional AV looks.  It will continue to replace live malware if someone removes it and reboots the device.  There are other uses for rootkits but they depend on what the attacker wants to accomplish.  The key to backdoors is the ability for the attacker to continually connect.  So lots to consider.

PW Safe, I like having the mobile version as well. 

Hmm, I do have the app.  I think it was designed for a designated Splunk box.  pfsense is currently dumping all logs to syslog and the current Firewall setting is parsing that information.  I can probably change the settings to see if it can pull those out.  If so maybe I can do something with pfsense to send the snort logs another way.  This helps though.  I may muck around with it over the weekend.

Thanks!

Well give the search a try and see what comes up.  Another good resource for some standards in server hardening is nist.gov.  As far as whether or not to scan a system, basically whatever you have to do to ensure the system is ready for production.  If hitting it with something like Nessus, GFI LANguard, or Rapid 7's Nexpose, then do it.  When an official audit comes around, you will need to produce proof that controls are in place and working according to your policies.

Hey no problem, no I never did get this piece working.  Haven't had a chance to revisit it but if you have some thoughts, I'd be interested in hearing them.

I think as far as "poor patch management" goes, many companies still think if I set Windows Update to automatically update, then I will be compliant.  This might work for very small environments, but not so much for larger.  There should be written policies that state what is needed to be compliant - "You must have all critical and security patches installed within X number of days from release"  The average is probably 30 days.  The policy should be written so it takes a number of factors into consideration.

• Actual risk rating - what a vendor labels a patch/update may not be what the organization labels it.  This would depend on the amount of systems affected.  Is the patch a fix for a vulnerability?  Is the vulnerability exploitable?  How likely is it that it can be easily exploitable?  yada yada yada...
• How long does it take to properly test certain patches?  Yes, every good patch management process should including proper testing.  Deploying an untested patch could be just as bad as not deploying it.
• What does your particular flavor of compliance say?  In most cases they say you must have a policy to govern this and they offer some guidelines.  When you get audited, the auditor will examine the current policies and review environment to see if you are keeping to that policy.  If you say we will patch critical systems within 15 days and an auditor comes in to review and finds all your major database servers 30 days out-of-date from the last patch releases, then they will mark it as a finding.

Basically if policy is written, then policy must be adhered too or it's a finding.  In some cases the policy writer will make up something that may sound good on paper, but is horrible to implement.  I will give you an example from a former job.  The ISO stated that ALL systems needed to be compliant within 30 days of patch release.  He did not specify any differences in servers, workstations, critical systems etc...  I was the sole person responsible for meeting that demand with 100 servers, 300 workstations which included traveling laptops.  The servers consisted of a number of dev boxes, web servers, an Exchange with a SAN, a Database server (which I later found out had just Windows 2003 and no SPs as well as 3 versions of MS SQL installed), and a couple non-windows systems.  Oh by the way, the only "patch management system" in place was a poorly configured WSUS server.  Oh and did I mention the only patching was just what Auto-update was saying was needed and then the previous person would just reboot and call it a day, this happened for over 3 years before I got in.  But I digress, the environment must meet the policy.

Here are the PCI DSS 2.0 guidelines - https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf requirement 6 goes over the patching and such. 

If this is for compliance then the scope may be very broad.  Automated tools will be relied on heavily to meet the engagement schedule.  The Compliance check does not specify what must be covered so things like Social Engineering are hardly ever included in-scope.  The scope may not cover testing of network level security (router/switch ACLs) and it may not even cover web applications.  The test may simply cover the vulnerability assessment as management may have stated they do not want systems taken down.    The one thing you should not receive, however, is a print out of the Nessus scan as the final report.  I've seen this come from a fairly large IT company that happens to now do Vulnerability Assessments.  One major problem with the report I had was that it did not specify specific areas on a website that a finding was found.  But I digress, if you have doubts on your current security measures, why not conduct your own tests?  Outside testing should be used to help your find the flaws you don't know about or don't have the experience to find.  They should not just be a check box on the compliance list.

Is the vulnerability/pen test a fulfillment of a compliance requirement?  As in, are current best practices for patch management, server hardening, and network hardening currently being followed and monitored?  If the company is not doing the basics with security, then your scheduled pen test will always find flaws.  Does any internal testing occur throughout the year?  And is the 3rd party actually performing a true penetration test?  Or are they hitting the magic button to auto-scan and just reporting back your vulnerabilities?  A true test will show details as to where the vulnerability exists along with proof that it does truly exist.  If they are not digging beyond the scanner then the results could be false positives.

I didn't have much interest in the 501 but two months ago I took 401 with Eric Cole and did indeed have a blast. 501 is now on my wish list as well.

I think pretty much any SANS conference is going to be awesome. I was only at the recent Orlando conference over the weekend for an exam, but the energy and enthusiasm was off the charts. I'm definitely rethinking shelling out the money for a live course; the networking opportunities may be more valuable than the core course material.

Also, I have three or four books for 501 because I've written some questions for the exam. I thought the 401 material was rudimentary (which is fine if you're starting out), but the 501 material was pretty solid. It definitely seems like a worthwhile course that has content you can't scrap together in a few general books.

Unfortunately can squeeze in the travel this year for it so it is OnDemand for me.  Which is fine, I may shoot for a live one next year.  Trying to save some travel requests for things like DerbyCon.

Looks like it will probably be SEC501 for the GCED.  Heard the exam is a hoot   Now we will see if they approve it.

chrisj pretty much explained it.  I'll add that firing up your own OpenVPN is fairly easy with the help of Google.  There is an .ISO out there that makes installation into a Virtual Machine pretty easy.  If you run it at home, all you would need is a Dynamic DNS account so you don't have to sit there checking to see if your IP address is still the same.  Oh and OpenVPN installed at home is free. You would need some sort of dedicated box (physical or virtual) and it doesn't need to be powerful. 

Sounds like you did a pretty good job at breaking stuff.  Pick up some self study stuff for CEH to bone up on the material you may not be as familiar with and go from there.    You should be able to pass the test.  Or you can use this exercise to see if work will send you to training.  You have the aptitude and some decent knowledge.  You have proven you are an asset in this field for your company.  Worth asking them.  Hmm, no USB drives eh?  can you reach other parts of the internal network from the terminal?  File shares and such?

Ok, well 20K is probably a good size enterprise.  Why so much SQL?  Is there a business need?  Seems a bit excessive.  Only normal reasoning I could see is if you installed Business Contact Manager for Office or you are a major dev shop. 

1. Are you on-board with what we may have to do?
Very much so Don!  This is a great place and change is good!

2. How extensively do you use PMs through our forums?
I use it pretty often, it is a good way to take things off to the side.  It is also a good way to the job boards.

3. who's interested in Blogging for EH-Net?
I currently try to maintain my own, but I wouldn't mind doing some double duty.

4. Who's willing to help test?
I could lend a hand.

5. Who's willing to possibly help moderate the forums?
I could assist with this as well.

6. Anyone willing to lend a hand who has expertise in PHP, MySQL, design?
My skills here are not so good.

7. Should we implement OpenID, login with Twitter?
I'd prefer to keep my logins separate.  But it isn't a deal breaker.