 |
|
|
ISS
Ethical Hacking Course
Ethical hacking – isn’t that an oxymoron? Perhaps not. The Ethical Hacking course from the training arm of Internet Security Systems (producers of various security software packages such as Internet Scanner, Database Scanner, and RealSecure) is aimed at security officers, auditors, security professionals, site administrators, and anyone else who is concerned about the integrity of their network infrastructure - not hackers (or would-be hackers). It is unlikely, in fact, that anyone who is interested simply in learning the basics of mischief making would want to stump up the �3000 for this course, and so we are left with the concept of the “ethical hacker” – the person responsible for corporate security who wants to have a grounding in the techniques that the script kiddies will be using against him. And that is exactly what this course is designed to teach, providing a structured methodology for detailing the techniques used by crackers to assess and attack corporate networks. Over a very intensive four day period (it could quite easily be stretched to five days, so don’t go on this course expecting an easy ride) the course attempts to highlight information leakage that can take place even within a seemingly secure environment. It thus provides valuable insight into how hackers circumvent and defeat security controls in networked environments, applications and operating systems. The first day starts somewhat slowly with the obligatory “ethical” part of the whole thing, covering legal and HR issues, reasons why you might perform an ethical hack, and common attack types and vulnerabilities. To be honest, I would be quite happy to see this reduced to a quick half hour introduction and get straight into the real stuff, especially since the extra half day gained would come in handy later in the course. Things pick up in the afternoon, however, with an introduction to passive information gathering techniques and some practical examples using who is, Sam Spade, EDGAR and various Stock Exchange sites. Day two sees us moving on to active information gathering and target mapping. Delegates are led through various tools and techniques used to gather valuable information on target networks and hosts, and to use the data with experience and knowledge gained in earlier sections to map the network and targets. You would expect plenty of coverage of ISS’ own tools such as Internet Scanner in this section, but you would be wrong – they get barely a mention. In fact, once of the nice points about this course is that the instructors concentrate on tools that are freely available on the Internet, the rationale being that if you know where to look, the latest tools and exploits can always be found on the ‘net well in advance of those same techniques being incorporated into commercial offerings. The third day covers vulnerability mapping and exploitation. Once targets from the previous day's session have been mapped, delegates move on to considering which areas are likely to be vulnerable and open to attack. They are then led through various tools and sites for finding exploits. One of the best features of the course is the “real life” corporate intranet/Internet environment that is provided under laboratory conditions, providing for a number of hands-on workshops where delegates have the chance to practice some of the techniques they are learning. All the hands-on sessions build on previous knowledge and the aim is to have the delegates “hacking” into the lab network for real by the end of the course. In the day three modules, delegates are guided though techniques to attempt to gain entry into the “target” company set up in the training facility based on the results of the assessment so far, and using common exploit code that can be found on the Internet. The instructors also demonstrate a “chain attack” using real exploit code to show how a hacker will compromise one machine, then use that machine as a launch pad to other hosts in the organisation, chaining together three or four exploits to eventually gain root access. They make it look so simple – scary stuff! The final day pulls together all the information learned on days one to three, and delegates are pitted against one another in the final “hack off”. There are a couple of things about the test network that have remained hidden until the fourth day (and I won’t spoil the surprise by telling you what they are here). The delegates are invited to use all the steps in the methodology outlined in the course, finally identifying a valid exploit on the Internet and taking control of the target system. Once this has been completed, the course rounds off with an examination. This is no easy “read it from the book” test either, though as long as you have absorbed enough of the material in the excellent course notes, you will be fine. Verdict Overall the course provides a superb grounding in the techniques used by hackers to map out and gain access to your corporate systems. The way the labs have been constructed, building on the previous ones until the final day, is very clever and extremely informative, and the instructors – who are actually consultants from the ISS penetration testing team rather than your usual run-of-the-mill trainers – really know their stuff. I would not recommend going on this course unless you have a reasonable knowledge of networking technologies and protocols, and at least one network operating system (Windows NT/2000 or Unix). Both Windows and Unix environments are covered and used in the course, but delegates who have a knowledge of only one of those environments should not experience any significant problems – the instructors cover the requisite hands-on material in sufficient detail to get you up and running. All in all, this course is well paced and covers a wealth of useful material, and should be considered a must for anyone who is even remotely interested in just how easy it is for hackers to worm their way past your supposedly secure defences. Highly recommended, Product: Internet
Security Systems SecureU Ethical Hacking Course |
Security Testing |
Send mail to webmaster
with questions or
|