Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Tuesday, June 30, 2009
SANS@Night Presentations
SANS is offering the SANS at Night sessions from SANSFire in MP3 format, found here You can also subscribe through Itunes if you so desire by going here
Monday, June 22, 2009
Recert
Just signed up to recertify for my GCIH. Of all the SANS certs, I'm thinking the changes in the material for this one will be huge (that's Certified Incident Handler).
Day one of the course covers the seven steps of incident handling, procedures, putting together your team, etc. The next six are all exploits. I certified back in January of 2006, which means I took the material mid-2005. And, as good a job as Ed Skoudis does keeping his courseware up to date, parts of it were probably dated as they came off the printing press. Things just change just toooo rapidly.
Recerts for SANS are every four years. Obviously this isn't often enough to really keep you on top of what you need to know. Listservs and web sites help some, like the Storm Center, Security Focus, Emerging Threats, etc. but it's mostly top level info.
You still have to dig further to really understand the mechanics. And it takes time. And there's a huge amount of it. How do you really keep up-to-date?
Day one of the course covers the seven steps of incident handling, procedures, putting together your team, etc. The next six are all exploits. I certified back in January of 2006, which means I took the material mid-2005. And, as good a job as Ed Skoudis does keeping his courseware up to date, parts of it were probably dated as they came off the printing press. Things just change just toooo rapidly.
Recerts for SANS are every four years. Obviously this isn't often enough to really keep you on top of what you need to know. Listservs and web sites help some, like the Storm Center, Security Focus, Emerging Threats, etc. but it's mostly top level info.
You still have to dig further to really understand the mechanics. And it takes time. And there's a huge amount of it. How do you really keep up-to-date?
Friday, June 19, 2009
SANSFIRE
Hope all the attendees at SANSFire are having a GREAT time and learning much. Judy Novak had a three hour mini-course on packet crafting using scapy. If you don't know of Judy, she's one of the really top notch intrusion analysts in the world today.
Used to work for the military, now with Sourcefire. Co-authored a really good book with Stephen Northcutt on intrusion analysis (see my reading list to the right on this blog).
Used to work for the military, now with Sourcefire. Co-authored a really good book with Stephen Northcutt on intrusion analysis (see my reading list to the right on this blog).
Wednesday, June 10, 2009
Patch Away
It's patching time again. Microsoft has released no less than 10 new security patches, Adobe released new patches the same day (and will now release theirs the same day as Microsoft going forward which is the 2nd Tuesday of the month) and now Sun has released Java 6 update 14. Tons of info out there so I won't bother with links except one, isc.sans.org, the SANS Internet Storm Center that has diary articles up on all three now.
Monday, June 8, 2009
Obama Chooses BlackHat Head for Department of Homeland Security's Advisory Council
Obama has tapped the head of BlackHat to sit on the Department of Homeland Security's Advisory Council (HSAC). This is being portrayed as choosing a hacker for a high level security position, but I think that's overstating the facts, for once. Jeff Moss, whose handle is Dark Tangent, has by his own words been out of the hacking scene since high school or thereabouts. He's not a convicted hacker, like Kevin Mitnik, and was never charged for breaking into any networks that I'm aware of. And since those days he's worked for Ernst and Young, SCC, gotten a degree in criminal justice and taken BlackHat and transformed it into partial SANS-style security training (along with the hackers conference, which is well attended by law enforcement and three letter agencies). Details are here.
I don't equate this to Corporation XYZ hiring a blackhat right out of his former career to be their Chief Security Officer even to be a ethical hacker doing gigs for third party assessment. It's a long road from Jeff's high school career of using phreaking to get some long distance phone calls out of AT&T. The first ethical hack I ever sat on in used a ex-blackhat as the main pen tester. As he sat in front of five or six laptops running different exploits against our network, he entertained us with stories of his former life and the places he had broken into. He worked for a very, very large telecom who happens to have three letters in their name.
I just don't see a person who as a kid did some Cap'n Crunch style phreaking being in that same category. I think Jeff's paid his dues, and as much as I hate to grudgingly admit it, I think this pick by Obama is pretty good, unlike a whole slew of them that had me wondering what he was thinking (can you say tax-evading cabinet members?)
I don't equate this to Corporation XYZ hiring a blackhat right out of his former career to be their Chief Security Officer even to be a ethical hacker doing gigs for third party assessment. It's a long road from Jeff's high school career of using phreaking to get some long distance phone calls out of AT&T. The first ethical hack I ever sat on in used a ex-blackhat as the main pen tester. As he sat in front of five or six laptops running different exploits against our network, he entertained us with stories of his former life and the places he had broken into. He worked for a very, very large telecom who happens to have three letters in their name.
I just don't see a person who as a kid did some Cap'n Crunch style phreaking being in that same category. I think Jeff's paid his dues, and as much as I hate to grudgingly admit it, I think this pick by Obama is pretty good, unlike a whole slew of them that had me wondering what he was thinking (can you say tax-evading cabinet members?)
Friday, June 5, 2009
SANSFIRE 2009
Another SansFire is fast approaching (June 13th) and for the second year in a row I'll be staying home. The economy and my company being bought out by another, much larger one have conspired to put my training cycle on an indefinite hold. I work for a really security conscious organization that unfortunately is too large to consider third party training of much value (so I hear, it's SO big I have little insight outside of my own location).
One of the backfire issues with really big companies that put a large amount of resources into network/information security is that there is the assumption they can do all things better in-house than third parties like SANS. The training I've received so far since working for them has been all very basic stuff, and all dealing with policy/regulation/awareness. No technical training whatsoever (and I haven't been able to find any that exists except for developers), so my only choice is to go back to self-education.
If you go to SansFire this year (I see they've moved the venue to Baltimore this time), please really both enjoy it and get everything you possibly can out of it. Hit the BoF sessions, the SANS@Night free training, and the ISC presentations. And sure, have a beer with your fellow NetSec folks. That's part of the reason the live events are so good, isn't it? Networking and sharing info back and forth after the classrooms have all closed for the day.
You never know, next year you may be sitting on the sidelines like me and wishing you were there. Get it while you can!
One of the backfire issues with really big companies that put a large amount of resources into network/information security is that there is the assumption they can do all things better in-house than third parties like SANS. The training I've received so far since working for them has been all very basic stuff, and all dealing with policy/regulation/awareness. No technical training whatsoever (and I haven't been able to find any that exists except for developers), so my only choice is to go back to self-education.
If you go to SansFire this year (I see they've moved the venue to Baltimore this time), please really both enjoy it and get everything you possibly can out of it. Hit the BoF sessions, the SANS@Night free training, and the ISC presentations. And sure, have a beer with your fellow NetSec folks. That's part of the reason the live events are so good, isn't it? Networking and sharing info back and forth after the classrooms have all closed for the day.
You never know, next year you may be sitting on the sidelines like me and wishing you were there. Get it while you can!
Subscribe to:
Posts (Atom)