.

An announcement and a question about training

<<

mmurray

User avatar

Newbie
Newbie

Posts: 17

Joined: Fri Jul 25, 2008 11:03 am

Location: Fremont, CA

Post Wed Dec 17, 2008 6:12 pm

An announcement and a question about training

First, I'm announcing that I was really sick and tired of the sad state of affairs that passes for training of penetration testers these days.  So, I'm working with some friends to try and fix it.  We are launching a new class that we hope not only prepares people for certs, but actually makes them great penetration testers.

Blog post: http://episteme.ca/2008/12/17/getting-information-security-training-right/
Press Release: http://www.prweb.com/releases/2008/12/prweb1759624.htm

Now, for the question: I certainly have (a huge number of) my own thoughts on the matter.  But I want to ask, because my goal is to make a curriculum full of what is being used in the real world.

If you could add one thing that you use in the real world that is left out of the CEH/pen test classes that you have seen/taken, what would it be?
--
Mike Murray
MAD Security / The Hacker Academy

Email - mmurray@thehackeracademy.com
Phone - 773-360-0658
Twitter: http://www.twitter.com/mmurray
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Dec 17, 2008 6:55 pm

Re: An announcement and a question about training

Mike,

my first reaction to what is missing from pen-test courses would be 'me' can't get myself the time or resources needed to take all the courses I want  ;)

On a more serious note, it could be useful to have a module (or at least reference other sources of information) based around presenting security information to 'business' people. One thing that I always struggle with is managing to explain the latest and greatest exploit or attack vector to non-security people, most attempts result in 'that's interesting...' followed by their desire to be somewhere else.

I don't think it matters how well a penetration test or technical audit is performed technically if those in power and controlling the purse strings can't understand the risks then the right action is not going to get taken.

I can't speak for all pen-test courses (I have seen OSCP and CEH courseware material) but this isn't something that I've seen in any depth (or at all). Although from reading through some the SANs offerings this may be something that is present in their courses.

Overall I like the aspects of the course as you describe them in your blog posting, especially keep the courseware updated in line with the experiences and findings of an actual pen-test team on the front-lines.

Only issue I can see is I'm not sure how you'll be able to both keep the material upto date (you mention quarterly updates) and at the same time keep the taught material consistent between different instructors and classes (another goal you describe). To me that seems like a too frequent update cycle to keep that tight control over.

Hope you have some success, if you manage to produce a course as you describe it'll definitely be added to my training wishlist.

<minor edits for grammar/clarity, I shouldn't be posting to forums at midnight at the tail end of a 16hr+ shift  :(>
Last edited by RoleReversal on Wed Dec 17, 2008 6:58 pm, edited 1 time in total.
<<

mmurray

User avatar

Newbie
Newbie

Posts: 17

Joined: Fri Jul 25, 2008 11:03 am

Location: Fremont, CA

Post Wed Dec 17, 2008 9:36 pm

Re: An announcement and a question about training

RR,

Awesome!  Good to know I anticipated... We're planning on the last module being about reporting to executives.

While there are some out there that are already doing some of that (and ECSA has some content on it), you nailed it - most of what's out there isn't doing a good job of actually explaining the risk to executives. 

It's something I've been working hard on myself with Foreground's pen-test team - gong from simply presenting data in the reports to actually presenting real, useful, and actionable information.

When I was on the other side, having to dig through a 100 page report to figure out that we needed to do 3 things drove me INSANE.

-Mike
--
Mike Murray
MAD Security / The Hacker Academy

Email - mmurray@thehackeracademy.com
Phone - 773-360-0658
Twitter: http://www.twitter.com/mmurray
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Dec 17, 2008 11:27 pm

Re: An announcement and a question about training

mmurray wrote:Awesome!  Good to know I anticipated... We're planning on the last module being about reporting to executives.


Nice, looks like you're waayyy ahead of me :D
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Wed Dec 17, 2008 11:41 pm

Re: An announcement and a question about training

A discussion of looking beyond the vulnerabilities to the business processes which allowed them to be exposed may be a positive point as well.  While it's easy to point out all the stuff that's busted, coming up with a strategic plan that will keep an environment secure way longer than the next patch Tuesday would be great.  In many of the reports that I've seen, the strategic recommendations seem to be lacking.

Another one that I haven't seen much done with is evaluating network configuration.  For instance, layer 2 attacks are still effective without countermeasures in place, so a discussion of arp poisoning, and a discussion of why those protections are important might be nice.  MITM seems to be discussed a lot recently with tools like squirtle, cain and able, beef, and middler, etc.

Sounds like a neat class.  With your skills in social engineering, I hope that makes a showing as well :)   
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

mmurray

User avatar

Newbie
Newbie

Posts: 17

Joined: Fri Jul 25, 2008 11:03 am

Location: Fremont, CA

Post Wed Dec 17, 2008 11:57 pm

Re: An announcement and a question about training

Apollo - definitely, on all 3 of those counts.  :-)

Beyond just MITM, I want to get in to a more detailed treatment of VLAN hopping than I've seen.  I just don't see anyone talking about how to use Mausezhan often enough, and that has been a particularly interesting one for me, esp. when talking about UDP.

-Mike
--
Mike Murray
MAD Security / The Hacker Academy

Email - mmurray@thehackeracademy.com
Phone - 773-360-0658
Twitter: http://www.twitter.com/mmurray
<<

LSOChris

Post Thu Dec 18, 2008 10:08 am

Re: An announcement and a question about training

Mike,
I read your blog post on the course.  couple of comments but a current list of module topics would help :-)

1.  its tough to say drop all things that are "old", old stuff still works alot of the times, especially on internal assessments.  You need still need to know old stuff especially if new attacks build on old stuff or more importantly you have to link a few "issues" together to create an exploitable vulnerability for a pentest. 

2. the industry needs to stop trying to and saying the can make someone a pentester in a week (not sure how long you plan your course to be) its just not possible.  there is too much background material and no one enforces any prerequisites.  Want to make a great class. list the stuff people should know any make them take a HARD pretest.  no pass pretest, no take class. simple.  that way you can do away with a large chunk of the "old" and background material and focus on new techniques.

3. for new techniques i'll give you some stuff that I think must be covered.
* scoping pentest work; how long, many man hours, how much, etc
* pick one or several accepted methodologies (like OSSTMM) and USE it through the whole process, if you dont discuss why you dont
* documentation during and after a pentest, no one ever mentions how to log all your commands or take proper notes and screenshots and why that is important
* technology-wise need to cover; client side attacks, passing the hash, token stealing, turning sqli and xss into actionable shells versus information disclosure.

those first 3 are very much OJT and what makes the difference between junior and senior pentester but since you asked I threw it in there.

-CG
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Dec 18, 2008 11:25 am

Re: An announcement and a question about training

I agree with a lot of what Chris said, although most of those topics in point 3 are covered in the SANS SEC560 (Network Pentesting course).

I still need to go read the blog regarding the course, but as Chris mentioned I think a list of topics would be helpful to properly compare to the others. Especially if you're directly comparing to CEH as the follow-on courses include different material.

BillV

Return to General Certification

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software