To The Last Tribe Consulting

As I mentioned in my last post, I just finished the SANS Sec 504 Class: Hacker Techniques, Exploits & Incident Handling.  As with my previous 2 SANS classes, I took it over 4 months, using SANS OnDemand, which allows me to take the class online, at my own pace.  The teacher was the well known Ed Skoudis of Counter Hack fame.

Presentation

The only negatives I have about this class is the same as the last two OnDemand classes I’ve taken:  The layout of the OnDemand system–Let me quote from my previous OnDemand review:

“Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace.  I have to say that I really like this format, but I do have to say that the OnDemand interface is not the most intuitive.  Check out CERT’s VTE for Intuitive.”

Teacher

Ed Skoudis is a great teacher, though he does tend to talk really, really fast when he gets passionate, which he usually was, at least in this particular class.

Content

The class was divided into two basic sections:  Incident Handling and Hacker Techniques and Exploits.

The first section, Incident Handling, delved into the topic of “how to handle an Incident,” which is defined as, “the action or plan for dealing with intrusions, cyber-theft, denial of service, and other computer security-related events.”

The second section, Hacker Techniques and Exploits, went into an extended technical discussion on the phases of an attack, and what sort of vulnerabilities an intruder exploits to take control of a system / network.

Some of the topics included:

-ARP Cache Poisoning and DNS Injection

-Buffer Overflows in Depth

-Format String Attacks

-Kernel-level Rootkits

-Using Fragroute, Fragrouter and Whisker IDS Evasion Tactics

-And alot more of the same type stuff.

I found this portion of the class to be my favorite.  We got very nitty-gritty technical, and yet it was very practical.

Overall, I would have to give the content a very high rating.  Though the content was current, it probably was not cutting edge.

Final thoughts:

I found this class to be a great very technical, yet very practical discussion on this whole topic of Incident Handling and “hacker” techniques.

A side note: Bejtlich had an interesting discussion on how SANS defines Incident Handling/Response, and SEC 504. Check out http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html for the post.

Josh

Well, I just got back from Charleston, where I had my GCIH exam this morning. 

I was pleasently suprised to find that it turned out to be fairly easy–It probably helped that I have spent the past 4 months studying through the SANS class associated with the GCIH.  After a little under an hour and a half, I finished the exam, with a 96%. 

With two silver certifications out of the way, I now need to complete the two accompaning Gold papers, to apply for the Master’s program.

In an upcoming post, I will review the SANS class I just finished (SEC 504).

Josh

This past saturday, I traveled up to Columbia, SC to POSSCON 2009.  As the tagline on the site says, POSSCON is “South Carolina’s only Open Source Software Conference.”  

The keynote speaker was the CIO of redhat, Lee Congdon.  Lee spoke on “the state of Open Source today,” throwing in practical examples from his experiances at redhat, which I found to be very beneficial.  

The day was split into two tracks: Developers and Business I.T.   I ended up going to the business track, which I found out was fairly basic.  The only interesting discussions / topics came up during the final sessions:  The roundtable discussions with I.T. leaders from Time Warner, Blue-Cross/Blue-Shield, Fedora, etc.  They got into discussing how they practically worked OSS into their companies.  The other interesting session was the chief network artchitect from Blue-Cross/Blue-Shield describing their infrastructure switch to virtualized Linux on zSeries IBM Mainframes .

An extra session at the end of the day was on Hadoop, which I found very cool–I may be using this as part of my research for one of my GIAC Gold certs.

Finally, as always in these sorts of gatherings, you get the OSS Zealots–A few choice quotes from the ones on board:

“Another great reason to use open source software is because when they update the software, it doesn’t break things, like closed source software often does.”  (I wanted to ask this guy if he had ever acutally used any sort of open source software! Off the top of my head, I can think of a few examples of open source software updates that have broken things!)

“Open source software is so much more better than closed source software, because they follow the standards closer–Like, they actually follow the RFCs, and closed source software usually don’t.”   (Ok, so first, how does this guy think Linux and Windows can communicate via TCP/IP if they both don’t follow the relevant RFCs?  Secondly, has he ever browsed an RFC?  An RFC gives general guidance and principles, but does not always mandate specific implementations..)

Josh