Format: Proctored exam
Renewal: Every 4 years
Many had feared that the practical portion of the GIAC certification program had disappeared. It actually has just been renamed to allow for 2 levels of certification. Silver for the exam alone and gold for the practical.
Editors' Quick Thoughts
GPEN is a brand new certification that will be linked to Network Penetration Testing and Ethical Hacking, a course developed by Ed Skoudis of Intelguardians. His intention is to "personally do everything I can to make you the best penetration tester." It is still in development and will have a few trial runs before making its major debut at the SANS WhatWorks in Penetration Testing & Ethical Hacking Summit in Las Vegas from May 31 – June 9, 2008. This is not replacing GCIH where you get a larger view of the ethical hacking process and more focus on how to handle this "incident" to keep your enterprise running. Also notice that the title specifically states "Network" Pen Testing and Ethical Hacking and doesn't delve as deeply into web application and wireless security as some of SANS other offerings, but those topics will be covered. Said to contain previously unpublished methods used by Ed and numerous professional pen testers, this class is sure to please anyone neck deep in the technology and process of ethical hacking.
From the Horse's Mouth (SANS' Web Site Content):
Find Security Flaws Before the Bad Guys Do
Security vulnerabilities such as weak configurations, unpatched systems, and botched architectures continue to plague organizations. Enterprises need people who can find these flaws in a professional manner to help eradicate them from our infrastructures. Lots of people claim to have penetration testing, ethical hacking, and security assessment skills, but precious few can apply these skills in a methodical regimen of professional testing to help make an organization more secure. This class covers the ingredients for successful network penetration testing to help attendees improve their enterprise's security stance.
We address detailed pre-test planning, including setting up an effective penetration testing infrastructure and establishing ground rules with the target organization to avoid surprises and misunderstanding. Then, we discuss a time-tested methodology for penetration and ethical hacking across the network, evaluating the security of network services and the operating systems behind them.
Attendees will learn how to perform detailed reconnaissance, learning about a target's infrastructure by mining blogs, search engines, and social networking sites. We'll then turn our attention to scanning, experimenting with numerous tools in hands-on exercises. Our exploitation phase will include the use of exploitation frameworks, stand-alone exploits, and other valuable tactics, all with hands-on exercises in our lab environment. The class also discusses how to prepare a final report, tailored to maximize the value of the test from both a management and technical perspective. The final portion of the class includes a comprehensive hands-on exercise, conducting a penetration test against a hypothetical target organization, following all of the steps.
The course also describes the limitations of penetration testing techniques and other practices that can be used to augment penetration testing to find vulnerabilities in architecture, policies, and processes. We also address how penetration testing should be integrated as a piece of a comprehensive enterprise information security program.
This SANS course differs from other penetration testing and ethical hacking courses in several important ways:
- We get deep into the tools arsenal, with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are incredibly useful for professional penetration testers and ethical hackers.
- The course discusses how the tools inter-relate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
- We focus on the workflow of professional penetration testers and ethical hackers, proceeding step-by-step discussing the most effective means for conducting projects.
- The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
- We cover several timesaving tactics based on years of in-the-trenches experience from real penetration testers and ethical hackers, actions that might take hours or days unless you know the little secrets we'll cover that will let you surmount a problem in minutes.
- The course stresses the mind-set of successful penetration testers and ethical hackers, which involves balancing the often contravening forces of creative "outside-the-box" thinking, methodical trouble-shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results, and creating a high quality final report that achieves management and technical buy-in.
- We also analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.
Who Should Attend?
Security personnel whose job involves assessing target networks and systems to find security vulnerabilities. The course is ideally suited for system administrators, technical auditors, professional penetration testers, and consultants who want technical depth and hands-on experience with penetration testing and ethical hacking tools.