.

Is Hacking training doing us wrong?

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Feb 23, 2012 6:59 pm

Is Hacking training doing us wrong?

Hi all,

I've been thinking back over where I have come from in the past few years. No doubt I have learned a lot. And I can apply some of that knowledge. But I was thinking today, does IT Sec training really prepare us for the challenges we face?

I am a CEH. I am supposed to know the tools, techniques, and tactics that a hacker uses to compromise a network. A year ago I would have told you that I probably had a good idea about something like that. But I am thinking, in an age of Advanced Persistent Threats, with "cyberwar" on the horizon, how has my training prepared me for that?

I know that an attacker will try to hide their location before they perpetrate their attack. From just general knowledge I know of some of the techniques, like tor or tunneling. But none of my training mentioned this. Had I not tried tor for myself I would have no idea how it is used, its limitations, i've done a little research on how to tunnel traffic through tor, but I dont think I could use it effectively.

I know that attacks are often traced back to perpetrators, possibly across the world, through multiple computer systems or networks, but I dont know how. It goes on through all the phases of the hacking process i suppose, I know about trojans, maybe I can download one, run it through a program to change its signature (fuzzing right?) but this knowledge comes in piecemeal, over time.

Honestly, i guess im a little frustrated. I know there are a lot of people with a lot more knowledge, skills, and experience than me. How does one get to that level? How do you get to that place where you can sit there and right a report where you can say, "this is what happened, and this is how they did it, and this is how you can prevent it."?

Am I alone in this?
sectestanalysis.blogspot.com/‎
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Feb 23, 2012 7:26 pm

Re: Is Hacking training doing us wrong?

I think you need to consider how much time and effort those experts have put into obtaining their knowledge and developing their skills. It's a marathon that never ends, not a race. As long as you keep putting forth the effort, you'll make similar strides over time.

It sounds like you need to spend some time working on incident handling and intrusion analysis. If you don't have it already, get Ed's Counter Hack: Reloaded book. It's a great starting point. Don't you also have the GCIH completed/in-progress? That should take some of the mystery away for you.

I think the most critical piece of the puzzle is having the appropriate logging/monitoring systems in place at the onset and being able to identify suspicious activities amidst all the other information that's being collected. By not focusing solely on defense, and being properly prepared for a compromise, many attacks can be identified, contained, and remedied with a reasonable amount of effort.
The day you stop learning is the day you start becoming obsolete.
<<

Br0ken

Newbie
Newbie

Posts: 4

Joined: Mon Nov 07, 2011 4:22 pm

Post Thu Feb 23, 2012 7:30 pm

Re: Is Hacking training doing us wrong?

Am I alone in this?


take it form a 12 hour old pen tester - you are not alone in this thought

I got told this morning that i am going to become an in-house pentester. right now i have no training, no experience, and at most i have played with a few hacking tools. I can tell you this though I agree with your post one hundred percent.

How does one get to that level? How do you get to that place where you can sit there and right a report where you can say, "this is what happened, and this is how they did it, and this is how you can prevent it."?


I don't know if this will help you or not but i am planning on looking at "both" sides of the attack. What i am thinking would be best to become one of the more "experienced" testers (please correct me if i am wrong on this) is to set up an actual server and then attack it using the various methods that you find posted on the web or learned in class. once you have performed the attack then look at the attack from the "Protectors" view and try to trace the attack back to the source. that way you get to see what logs are created and how the investigative process happens. once you understand how the attack was performed then you can concentrate on how to prevent it. once you feel you have a handle on attack type A then move onto attack B. If and when you get through a bunch of attacks you will start to see patterns and it will become easier to see what happened, thereby making the reports easier.

Like i said i am new to all of this and do not know squat but this is my plan and i guess i can only hope that it is the correct path.

Edit: listen to ajohnson he is probably wiser than I on this stuff.
Last edited by Br0ken on Thu Feb 23, 2012 7:42 pm, edited 1 time in total.
<<

docrice

User avatar

Newbie
Newbie

Posts: 31

Joined: Sun Nov 20, 2011 3:19 am

Post Fri Feb 24, 2012 4:42 am

Re: Is Hacking training doing us wrong?

I understand your pain.  I'm one of those people with a collection of certs that probably gives people the impression that I'm good at what I do, and in the real-world it's quite the opposite.  All the formal training and self-studies that I've gone through have helped, but reality is filled with tons of nuances that have to be carefully weighed appropriately for different environments with different requirements in varying capacities.  You have to love reading.reading.reading and almost drowning in the flood of information that's thrown (not handed) at you.

I think part of this feeling of being overwhelmed is that everything is a moving target.  If you finally get your sensors and logging and all the visibility in place, now you have to make sense of the large wall of data.  Then you see these events and have to interpret how they evolved.  And somehow in all this mess, one has to make time to stay up with the daily news.  There's overlap in all the areas of security, people may expect you to perform miracles, and in many ways it's a thankless job.

But it's fun.  After an exhausting day, you might still be left wanting more after you get your sleep (and I do recommend sleeping).

I'd assume that even the folks considered at the top of the pack still feel overwhelmed by the constant changing landscape.  Don't look at infosec as getting to the last stage in the game where you fight the main boss - it's a never-ending cycle of hard work and fun where you'll never be bored if you're curious enough.
GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, OSWP, WCNA, CCNA, CCNA Security, SFCP, SnortCP, and more useless acronyms.

Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 24, 2012 9:20 am

Re: Is Hacking training doing us wrong?

Br0ken wrote:Like i said i am new to all of this and do not know squat but this is my plan and i guess i can only hope that it is the correct path.


You clearly know something because that's dead-on. You should read Tom's recent post (http://www.ethicalhacker.net/content/view/408/2/) and possibly check out his Hacking Dojo service as well. It's affordable for what you get, and it will help you get up to speed quickly, especially because of the pros that you can ask questions to.

Br0ken wrote:Edit: listen to ajohnson he is probably wiser than I on this stuff.


Perhaps. As always, take it with a grain of salt ;)

docrice wrote:I understand your pain.  I'm one of those people with a collection of certs that probably gives people the impression that I'm good at what I do, and in the real-world it's quite the opposite. 


I disagree. I think by and large you're one of the better ones out there. I think we lose perspective when we do things like following dozens of people we really respect on Twitter. We put ourselves in a position where we get bombarded with high-level expertise, and after awhile, we feel inadequate.

However, that's not representative of the real world and sea of information security "professionals." A friend of mine recently did a security assessment for a relatively small financial institution, and their security guy hadn't even heard of SSH before. I have many similar stories from my own experience. I think if most of us stepped back and looked at everything in perspective, we'd probably find that we were better off than we realized.

docrice wrote:You have to love reading.reading.reading and almost drowning in the flood of information that's thrown (not handed) at you.


This. Remember that a lot of people excel in this field because they find it entertaining and make it their hobby. If you put more importance and putting 40 hours into WoW or watching TV every week, there's no way you can be on the same level.

docrice wrote:I'd assume that even the folks considered at the top of the pack still feel overwhelmed by the constant changing landscape.


Maybe. I think a lot of that comes down to attitude and perspective, which you can change if you put the effort in. Most of us got into this field because we were drawn to the constant change and would get bored otherwise, yet we seem to view those changes as burdensome rather than interesting. It seems like whether you focus on offense or defense would dramatically affect your views as well. 
The day you stop learning is the day you start becoming obsolete.
<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Fri Feb 24, 2012 9:50 am

Re: Is Hacking training doing us wrong?

The CEH is an entry level penetration testing certification.  I'm sure it doesn't go into much detail on the forensics side of security so you won't be able to say "this is what happened, and this is how they did it."  The CEH is supposed to give you the basics on how to attack computers, rather than detect and investigate attacks.  Heck, even forensics is a huge field which causes people to have to specialize in certain areas of forensics.

You need to find an area to specialize in and once you understand that, then you can think about branching out to other areas.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 24, 2012 10:25 am

Re: Is Hacking training doing us wrong?

I don't think hacker training in general is giving us the wrong knowledge, but some training providers, are giving us most of the tools (knowledge) 14-16 year olds already have, where the higher level practical knowledge, is only found with a very few training providers currently.

There's many things, in Hacking, which you will learn a lot more about, if you study it yourself (and become dedicated too), even though it may take a long time, but learning from e.g., the guys at Corelan, Rapid7 (Metasploit developers) and perhaps OffSec about exploit development, web app sec from well, various random resources, intrusion detecting and preventing, from experienced people that blogs about their experiences, creating new custom rules that detects the latest malware, etc., as it's often hard to find the best resources to learn from, if you're completely new.

If we go back, just ~10 years, it was even harder, and if we go back even further, a lot harder because good information about hacking was almost like a dark art back then that was hard to obtain. (At least that's how I felt, when you don't know where to go, who the leading experts are, or at least, the good resources from where you can learn a lot from. If there was a single place where you could learn everything from, I would've studied that intensely.)

Today it's thankfully a lot easier, but becoming an expert, or close to, or for that sake the all-round pentester that knows everything, isn't easy, as there's so much information.

Some people are excellent exploit writers, but lack skills in web app sec. Some people in web app sec are just the opposite. (Because both areas, are huge, even though I've always thought of exploit development to be a lot harder than web app sec, which I always thought everyone knew, and that it was just the "basics", the starter level, apparently I was wrong, because I've recently seen more and more people needing to know the right path within area.)


Therefore, I'm happy to say that even I am fiddling with the idea of creating a good resource for practical knowledge about web app sec.

ajohnson wrote:A friend of mine recently did a security assessment for a relatively small financial institution, and their security guy hadn't even heard of SSH before. I have many similar stories from my own experience.


That's crazy, especially because you say, that you have many similar stories.

I remember that I once during an internship roughly 4 years ago, ran a few tools and didn't do much custom work during black-box pentests, I once discovered that most of a particular network used outdated VNC software (with known vulnerabilities like authentication bypasses). I wondered who was in charge of security? Turned out to be the sysadmin, that apparently didn't follow security issues with programs in particular, as there was plenty of other vulnerabilities there too. (All because of outdated software.)
I'm an InterN0T'er
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Feb 24, 2012 10:27 am

Re: Is Hacking training doing us wrong?

@SephStorm

I understand your frustration. I sometimes suffer from this, but I look at the ones around me and I feel better :)

One solution to your problem would be to create a sub forum, something like noob self study. Here you can come to a problem/question and someone more experienced could point you in the right direction.
After receiving the help, you'll have to solve the problem and to present the solution to the others. The best way to learn something is by teaching it.

For example, let’s say that someone is interested in web cracking, and wants to learn it. A "mentor" could point him to the right resources, and the student will prove that he did mastered the subject by doing a small video where he shows he's way of doing it.
Maybe after a time the sub forum will die, or it will become overpopulated, but it might be an opportunity to gain knowledge and experience.

Another variant will be to create small teams of ethical hackers, and try to share knowledge, and to solve problems together.

And yes, you can take training. The problem with the trainings is that you are alone. One of the advices K Johnson gave us when we finished the course was to create a team and to work together. Until now I don't have someone to share my passion, and to try to work with. An EH team would be nice.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Fri Feb 24, 2012 10:35 am

Re: Is Hacking training doing us wrong?

ajohnson wrote:I think we lose perspective when we do things like following dozens of people we really respect on Twitter. We put ourselves in a position where we get bombarded with high-level expertise, and after awhile, we feel inadequate.


I've never thought of it like this before, but that makes sense.  Thanks for that perspective.  Now to just keep this in mind everytime I'm on Twitter :P

ajohnson wrote:A friend of mine recently did a security assessment for a relatively small financial institution, and their security guy hadn't even heard of SSH before. I have many similar stories from my own experience. I think if most of us stepped back and looked at everything in perspective, we'd probably find that we were better off than we realized.


Well I know I feel better about myself now lol

MaXe wrote:I remember that I once during an internship roughly 4 years ago, ran a few tools and didn't do much custom work during black-box pentests, I once discovered that most of a particular network used outdated VNC software (with known vulnerabilities like authentication bypasses). I wondered who was in charge of security? Turned out to be the sysadmin, that apparently didn't follow security issues with programs in particular, as there was plenty of other vulnerabilities there too. (All because of outdated software.)


Sadly, this is my situation right now (outdated software) and it's due to a few factors: lack of infrastructure to manage software centrally, lack of funding to update said infrastructure, small IT team with too many things to do that often take precedence over updating software because "if it works, why update it?" *facepalm*
GSEC, eCPPT, Sec+
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 24, 2012 10:40 am

Re: Is Hacking training doing us wrong?

@lorddicranius, about centralized management of software and updating it, check out Heimdal https://www.heimdalagent.com/en/features , not sure if it's what you need or what you're looking for, but it seems decent even though I'm sure there's many other solutions.  :)

alucian wrote:Until now I don't have someone to share my passion, and to try to work with. An EH team would be nice.


I consider (some) IRC channels a place to share ideas and sometimes even get help with various topics, so feel free to drop by and hang out at #intern0t , even though most of the topics aren't infosec related, people often try to help each other out. (Just like a team would do.)
I'm an InterN0T'er
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Fri Feb 24, 2012 12:07 pm

Re: Is Hacking training doing us wrong?

As much as I've griped about EC Council training, I personally think any training where you learn something/anything from is valuable to some degree. I guess if you can say, "I learned something" it's not a complete waste. Now whether or not learning that DES encryption uses 56 bits is worth $1000, well that's a matter for debate. What the CEH gave me was not the ability to pen test or hack but the broad knowledge of what's out there and to a small degree, how to defend against it. Because of CEH I can say that I know *of* SQL injection, XSS, buffer overflows, sniffing, etc. I would imagine that most of the entry level security courses would be the same. Now it's up to me to develop that high level knowledge into a true skill.

It seems to me that any training you recieve is obsolete the moment you've completed it. Like a new car, by the time you hang that certificate on the wall its value has already depreciated significantly. This field, like any other technological one, is constantly evolving and I think it falls upon the W/B/G Hat to keep up with the latest techniques.

Like you though, I've been feeling overwhelmed by what I don't know. I get this feeling that what separates the White Hat from the script kiddie is indepth knowledge of: SQL, Java, Javascript, Perl, Python, Backtrack, Metasploit, and the list goes on and on. I think ajohnson said it best, the guys that are true masters at this stuff live and breath it. While I'm playing a computer game (not WoW) or watching Big Bang Theory or Netflix movies, these guys are perusing the forums and security news, et al. I'm just not sure I'm ready to devote my life to this stuff, especially since it's not my profession but more of a hobby and something that might distinguish me during a layoff period.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 24, 2012 1:57 pm

Re: Is Hacking training doing us wrong?

DragonGorge wrote:It seems to me that any training you recieve is obsolete the moment you've completed it. Like a new car, by the time you hang that certificate on the wall its value has already depreciated significantly. This field, like any other technological one, is constantly evolving and I think it falls upon the W/B/G Hat to keep up with the latest techniques.


If you learn in-depth techniques of SQL Injection, XSS, LFI/RFI, etc., then it won't be obsolete. XSS has existed for like 10 years now, and there's plenty of websites vulnerable to it, even Apache got compromised via XSS recently (2010, new things gets old very fast on the Internet, but some things, never gets old): https://blogs.apache.org/infra/entry/ap ... 04_09_2010

Of course, CSRF, Click-jacking and many other sorts of [insert word]-Jacking has been developed over the recent years, but these old vulnerabilities, they still exist. It's just, not as often as it used to be that they're found in web applications anymore (e.g., RFI and LFI), but they do exist.

It's like buffer overflows, one of the oldest, if not the oldest hacking technique that involves redirecting the execution flow of a program to hit your shellcode / injected backdoor instead, that still exists, but most of the easy picks are gone now (unfortunately xD ), but it still exists, more layers of security has been added, but over time these are defeated. ASLR, DEP, NX, etc., all of them has in some way been defeated or is possible to bypass.

So I wouldn't say it's obsolete, but you are right that some things you learn in "hacking courses", are obsolete and shouldn't really be included, but they're good "fillers", which is equal to: money.  ;D

About dedicating yourself, and not just making hacking a hobby: To be honest, even though I often use a lot of my time, I have had time for e.g., friends, family, girlfriends, movies, partying, tv, sitting on IRC for hours talking about anything but hacking, even computer games (not all of the time, but some of the time on occasion when I needed a break), so you can see, having a life besides hacking is possible, but using a lot of time to become good is expected :-)

In fact, doing all this kind of stuff that has almost nothing to do with hacking, it may seem like waste of time, but the beauty of it, is that it gives me inspiration to do various things. Not saying it's the same with everybody else, but doing only hacking 24/7 is rare if possible.

After all, you also have to make food, take baths, go to the toilet, pay the bills, go to work which may not be related to infosec, and many other things, but inside, you can be and think as a hacker 24/7  :)
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 24, 2012 4:36 pm

Re: Is Hacking training doing us wrong?

A healthy balance is indeed highly recommended :)

The point I was making was simply that if you're motivations are money, job security, glamour, etc., you're going to have a very difficult time achieving as much as someone who has an innate passion for the material.
The day you stop learning is the day you start becoming obsolete.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Fri Feb 24, 2012 5:30 pm

Re: Is Hacking training doing us wrong?

You guys are right, honestly i was supprised when I saw how many replies this thread had gotten. And I know some of these things, it s a process, but I intend to discet this thread soon to gleam all of the knowledge I can (as long as i dont have to get  twitter account :p )

I know for 1 i need to get back in the lab and start hacking again.
sectestanalysis.blogspot.com/‎
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Mar 01, 2012 1:22 am

Re: Is Hacking training doing us wrong?

I think, like with all education, that training classes give you a step in the right direction.  They provide you with a good base so that you can decide how far you want to go.  InfoSec, like with InfoTech, is a very general area.  There are many paths to follow and it is up to you to decide which ones best fit your interests.  Then you need to continue building the skills.  The certification is much like a degree and without any experience to back it up, it is worth about as much as the paper it is printed on.  

Specialization is key to surviving in the business of IT and InfoSec but also being able to adapt to the changing landscapes is just as good.  Like right now being able to detect the presence of a targeted attack is a handy skill.  But in order to master such a skill you either need to buy really expensive log management solutions that send you alerts geared toward that type of activity or become a good log analyst and understand the different areas of IT to know when you see something that doesn't quite fit.  Then you need to follow the bread crumbs.  Eventually you will come across some suspicious files and that is where some level 1 malware analysis will be needed.

Knowing what I know now about IR, I would say that can certainly give you some good exposure to a number of other interesting skills involved with responding to incidents. But to be good at it, you really need a solid base of IT based skills to be good at the log analysis and incident response.

But we have all felt overwhelmed at one point in our careers and its natural to question you previous education.  There will always be entry level certs and more advanced counter-parts but both require dedication to continuing your education beyond the classroom.  
Certs: GCWN
(@)Dewser
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software