To The Last Tribe Consulting

As I mentioned in my last post, I just finished the SANS Sec 504 Class: Hacker Techniques, Exploits & Incident Handling.  As with my previous 2 SANS classes, I took it over 4 months, using SANS OnDemand, which allows me to take the class online, at my own pace.  The teacher was the well known Ed Skoudis of Counter Hack fame.

Presentation

The only negatives I have about this class is the same as the last two OnDemand classes I’ve taken:  The layout of the OnDemand system–Let me quote from my previous OnDemand review:

“Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace.  I have to say that I really like this format, but I do have to say that the OnDemand interface is not the most intuitive.  Check out CERT’s VTE for Intuitive.”

Teacher

Ed Skoudis is a great teacher, though he does tend to talk really, really fast when he gets passionate, which he usually was, at least in this particular class.

Content

The class was divided into two basic sections:  Incident Handling and Hacker Techniques and Exploits.

The first section, Incident Handling, delved into the topic of “how to handle an Incident,” which is defined as, “the action or plan for dealing with intrusions, cyber-theft, denial of service, and other computer security-related events.”

The second section, Hacker Techniques and Exploits, went into an extended technical discussion on the phases of an attack, and what sort of vulnerabilities an intruder exploits to take control of a system / network.

Some of the topics included:

-ARP Cache Poisoning and DNS Injection

-Buffer Overflows in Depth

-Format String Attacks

-Kernel-level Rootkits

-Using Fragroute, Fragrouter and Whisker IDS Evasion Tactics

-And alot more of the same type stuff.

I found this portion of the class to be my favorite.  We got very nitty-gritty technical, and yet it was very practical.

Overall, I would have to give the content a very high rating.  Though the content was current, it probably was not cutting edge.

Final thoughts:

I found this class to be a great very technical, yet very practical discussion on this whole topic of Incident Handling and “hacker” techniques.

A side note: Bejtlich had an interesting discussion on how SANS defines Incident Handling/Response, and SEC 504. Check out http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html for the post.

Josh

Well, I just got back from Charleston, where I had my GCIH exam this morning. 

I was pleasently suprised to find that it turned out to be fairly easy–It probably helped that I have spent the past 4 months studying through the SANS class associated with the GCIH.  After a little under an hour and a half, I finished the exam, with a 96%. 

With two silver certifications out of the way, I now need to complete the two accompaning Gold papers, to apply for the Master’s program.

In an upcoming post, I will review the SANS class I just finished (SEC 504).

Josh

A section of a book that I have been reading (Protect Your Windows Network From Perimeter to Data by Johansson & Riley) really made me sit and think, especially since it is so personally applicable to where I am, and the organization I am with is at.  Let me just quote it for you, and let you think on it:  (I have sourced it from a sample chapter available online, found here.)

System Administrator – Security Administrator

“Making system or network administrators manage security is counterproductive; those job categories then would have conflicting incentives. As a system or network administrator, your job should be to make systems work, make the technology function without users having to think about it, making the technology transparent. As a security administrator, your job is to put up barriers to prevent people from transparently accessing things they should not. Trying to please both masters at the same time is extremely difficult. Dr. Jekyll/Mr. Hyde may succeed at it (for a time at least), but for the rest of us, it is a huge challenge. The things that will get you a good performance review in one area are exactly what will cost points in the other area. This can be an issue today because many who manage infosec are network or system administrators who are also part-time security administrators. Ideally, a security administrator should be someone who understands system and network administration, but whose job it is to think about security first, and usability/usefulness second. This person would need to work closely with the network/system administrator, and obviously the two roles must be staffed by people who can work together. However, conflict is a necessity in the intersection between security and usability/usefulness. Chances are that only by having two people with different objectives will you be able to find the optimal location on the continuum between security and usability/usefulness for your environment.”

Josh