Wednesday, March 19, 2008

NYMISSA: Ethical Hacking

Every month, I tried to attend the meetings of the local chapter of the information system security association. Since I started attending, the topics were usually geared to management-type topics, such as legal issues, strategic outlook for the next 5 years, etc. Today's sessions was refreshingly different; the topic was ethical hacking, which seems to the be currently fashionable euphemism for penetration testing.

The organizers of today's event were able to get two very knowledgeable speakers. Lenny Zeltser hosted a presentation on penetration testing without going after known vulnerabilities in software. He covered reconnaissance using Google, social engineering via email, as well as some other topics. Lenny is currently leading the New York security consulting team at SAVVIS, and he is also a SANS incident handler and faculty member.
While I did not learn very many new things from Lenny's talk, it was very entertaining to observe the people in the audience who did not have a technical security background. I saw many different 'clicks' where people suddenly experienced an 'oh crap'-moment. The presentation was good, and I enjoyed it a lot.
The second presenter of the day was Dean De Beer of the Columbia University Medical Center. Dean's presentation was much more technical than Lenny's, but it could still be followed very well by people who had a less-developed technical background. During the course of the presentation, quite a bit of people who were clearly in over their heads left, but the remaining audience stayed focused. Dean presented the Metasploit framework and got some good questions. By the end of the session, a large number of professionals were shaking their heads in disbelief how easy he made it seem to obtain access to an unpatched machine.
While in my view, Dean could have put some more emphasis on the fact that Metasploit will only run against known vulnerabilities, and that properly patched machines are usually not easily targeted, he was able to convey the message that corporate patch policies should apply equally to workstations as they do to servers. A corporation's defenses are only as good as the weakest link.
The concept of 'reverse shells' also seemed to be new to some of the attendees. All in all, Dean's presentation was very informative and I got a better understanding of the Meterpreter payload. Not surprisingly (as they seem to get all the best pro's), Dean also works with SANS.
Summarizing: I had a good time at the event, and I'll definitely go again. Both Lenny and Dean are good presenters and excellent professionals.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.