Reproduced with permission from TG .
July 05 2006
Working in the computer industry for 9 years then focusing on security for 4 years I have seen many things. I have always been on the defense when it comes to security; it seems to always be a game of catch up. A vulnerability is released and upper management deems a solution that might not be the best fix. I cannot tell you how many times I have been forced to implement a square patch into a round vulnerability. Since I have little understanding of the attack or the vulnerability; I am at the mercy of the patch and coder that wrote it. With this deficiency in my background I needed more information on what the exploits are and the frame of mind on the person creating them.
I have taken many training classes from SANS, and Learning Tree, on the topics of security. This time I needed a certain specialty class. I need to learn more on how to exploit a network. I needed to learn methodology on compromising a network. In order to defend an enterprise networking environment I had to learn how to penetrate one.
I then looked at the two different penetration certifications, CEH (Certified Ethical Hacker – From EC Council) or CPTS (Certified Penetration Testing Specialist from Mile2). I have read many articles on CEH and bought the official book, Ethical Hacking written by EC-Council. After looking into the CEH certification I came to the conclusion that it is too tool orientated. I am familiar with the open source environment so most of the tools that come with the CEH course. I didn't want to learn tools set but the reasons to use them. Looking into the CPTS course I couldn't fine very much information on it, but one thing that sold me was printed on the Mile2 site. Mile2 CPTS is being used by the US Military -- I found my class! If the Military is using Mile2 for their training then why shouldn't I.
I took the class in Nashua , NH June 19 – 23 rd . I was two hours late for the Monday class due to flight delays. I was introduced to Tim my instructor who was also presented as a professional penetration tester and security expert. Whenever I meet people with such title's I always view them with a grain of salt. A class is only as good as the instructor. If I am able to stump the instructor on my first day, then I usually lose confidence in the class. Tim was right on the money with anything that I threw at him. He knew the industry and was current with security practices and procedures. Tim's best asset was the ability to think out of the box to exploit secure networks and the people that maintain them.
The five day training environment consisted of lectures and lab assignments that ranged from simple to advanced. The atmosphere was professional and light hearted in that I was able to freely ask questions. At all times the instructor addressed the students politely no matter what their background or skill set was. Tim was able to keep the whole class involved with questions and stories from his experiences. Students would also give input from situations that they experienced in the past.
I learned many tools on how to perform security penetrations. More importantly I learned the methodology on the exploits that I was performing. I learned how to exploit web pages, web servers, Windows and UNIX environments. I was taught networking concepts (LAN, WAN) and different packet exploits. The Lab environment was sound and real world. Most importantly is that the labs worked. I cannot tell you how many times in training the labs did not produce the required results. We would then go over the labs to see what was happening and learn the concepts that went into the exploit.
By the third day I had enough training to change the way I looked at a network. The class was changing the way I saw a network. I was not just learning about an exploit, I wanted to know how to modify it. I was not thinking like a security specialist, I was thinking like a penetration tester. This was the most important thing that I took away from this class. I would go back to my hotel thinking about my own enterprise environment. I would cringe at potential vulnerabilities that I might have. I was introduced to a frame of mind, not a tool set. The instructor always reminded the class to be professional in their penetration testing. Follow the agreed rules.
During some of the programming days I waned to know more about root kits and different viruses. Tim taught up how to modify code and what to look for in a buffer overflow exploit. After the lecture Tim took time out of his lunch to show me more code. All I had to do was ask, Tim was happy to answer all my questions. I probably cannot write a virus but I have a better understanding on how virus scanners work. By looking at exploits and vulnerabilities I am now better able to secure my corporate environment.
After taking this class I have an opportunity to take the CPTS test and become certified. The problem with many certification classes is that they tend to teach you how to pass a test. I personally feel that certifications can dilute the teachings of a class. I was never instructed on how to take a test, I was taught how to penetrate a network. With what I have learned in the class I have no doubt that I will pass the certification.
Back at work I was brought into my boss's office to debrief him on what I learned. I told him that learned a different frame of mind. I now have a better understanding on what I am up against to secure my corporate computing environment.
Sincerely,
Tim Gallagher
Systems Engineer
Computer Science Corporation |
