SANS Security 504: Hacker Techniques, Exploits and Incident Handling
When people ask me what my focus area in information security is, I usually answer with "upper-tactical to mid-strategic levels" if it is someone with a business background, or "just about anything non-technical" when it is someone with a technical background. At the moment, my focus seems to be mainly in four areas: policy development, business continuity & disaster recovery, user awareness and incident management. In the past, I have done architectural work (mostly related to SIM/SIEM, NIDS/NIPS, HIPS, etc.) and lots of hands-on things (sysadmin, some packet analysis, vulnerability scanning, etc.)
The last year-and-a-half or so, I have been (too) far away from operational things, which is why I was very happy when I was given the opportunity to take some additional training. Not only does it keep me in touch with "real work", it also gives me a good refresher on what the bad guys are up to, and more specifically, HOW they do it.
For the last few days, I have been really enjoying the SANS SEC504: Hacker Techniques, Exploits and Incident Handling course, which I follow via the SANS OnDemand program. Very interesting material, and I enjoy Ed Skoudis's presentation style a lot. I learned some new things (nifty stuff, that idle scanning), and also some scary things (Windows NULL sessions giving out system information to someone without a username, without a password, without a domain and without knowing where they are coming from?!).
The SANS institute is also very good about given feedback on comments that I sent them, or questions that I asked. Typos get fixed almost immediately, and certain comments that I made are countered with well-argued reasons.
While I haven't made up my mind yet if I'm going to shell out the $500 to do a certification attempt at the end of the road, I feel that the course fee is worth the expense.
Interestingly enough; with the course fee comes a CD with Bad Stuff on it. Since I more or less expected it, I made sure that my machine was not connected to the network before I put it in. Good thing I did; Symantec Antivirus must have popped up at least three of four times to warn be about bad things on the disc :-)
Also included on the disc is a VMware image (compressed with the RAR archiver) that contains a RedHat OS. Unfortunately, I either missed the required username/password, or it was not provided with the CD (my books have not arrived yet), so I had to 'gain entry' to the image another way. Most likely, the easiest way is as follows:
Oh; another thing that you might want to do: in the VMware settings, change the properties of the network card from Bridged to Host-only. A Bridged network card will manifest itself directly onto your (corporate) network with a newly generated MAC-address. More often than not, this is NOT what you want.
Not that I do not trust Ed, but,.. you know :) Just to be sure, you might also want to run a packet capturing software (e.g. wireshark) on your host-os's host-only interface to figure out what other goodness is there.
The last year-and-a-half or so, I have been (too) far away from operational things, which is why I was very happy when I was given the opportunity to take some additional training. Not only does it keep me in touch with "real work", it also gives me a good refresher on what the bad guys are up to, and more specifically, HOW they do it.
For the last few days, I have been really enjoying the SANS SEC504: Hacker Techniques, Exploits and Incident Handling course, which I follow via the SANS OnDemand program. Very interesting material, and I enjoy Ed Skoudis's presentation style a lot. I learned some new things (nifty stuff, that idle scanning), and also some scary things (Windows NULL sessions giving out system information to someone without a username, without a password, without a domain and without knowing where they are coming from?!).
The SANS institute is also very good about given feedback on comments that I sent them, or questions that I asked. Typos get fixed almost immediately, and certain comments that I made are countered with well-argued reasons.
While I haven't made up my mind yet if I'm going to shell out the $500 to do a certification attempt at the end of the road, I feel that the course fee is worth the expense.
Interestingly enough; with the course fee comes a CD with Bad Stuff on it. Since I more or less expected it, I made sure that my machine was not connected to the network before I put it in. Good thing I did; Symantec Antivirus must have popped up at least three of four times to warn be about bad things on the disc :-)
Also included on the disc is a VMware image (compressed with the RAR archiver) that contains a RedHat OS. Unfortunately, I either missed the required username/password, or it was not provided with the CD (my books have not arrived yet), so I had to 'gain entry' to the image another way. Most likely, the easiest way is as follows:
- Boot the vmware image. Right after the VMWare splash screen disappears, hit ESC. That should take you right to the GRUB menu
- Highlight the entry you want to boot, and hit the e-key.
- At the end of the first line (the one that boots the kernel), add the word 'single' (no quotes) and hit ENTER
- Hit the b-key to boot the system. After the usually overly elaborate RedHat boot chatter, you should now be sitting at a root prompt. Just give the command 'passwd student' and pick a nice new password for that user.
- Give the command 'shutdown -r now' and wait until your virtual machine reboots. You can now log in with username student and your new password. Best-practice dictates that you do not log on using the (privileged) root account.
Oh; another thing that you might want to do: in the VMware settings, change the properties of the network card from Bridged to Host-only. A Bridged network card will manifest itself directly onto your (corporate) network with a newly generated MAC-address. More often than not, this is NOT what you want.
Not that I do not trust Ed, but,.. you know :) Just to be sure, you might also want to run a packet capturing software (e.g. wireshark) on your host-os's host-only interface to figure out what other goodness is there.