RE: CEH and Intense School

From: Martin Dion (martin.dion@abovesecurity.com)
Date: Thu Nov 06 2003 - 18:57:39 EST


I think you should seriously look into OSSTMM Certification. http://www.isecom.org/projects/opst.htm
 
In my own opinion, a successfull penetration testing operation is not only about using a suite of tools but also about being able to report on the risk thaT such exploitation might represent.
 
It is also important that a good penetration tester envision a formal and systemic approach to evaluate the various potential vulnerability of the information system under evaluation
 
Remember that an information system is composed of seven distinct elements:
- The access/telecommunication layer
- The network operating system
- The application servers
- The application themselves
- The external systems that transfer data back and forth with this system
- The facilities that host the physical system
- The individuals that owns, uses and operates the system
 
A good penetration tester should therefore evaluate the effectiveness of the security measures from all those elements in a formal way.
 
In my opinion, only the OSSTMM framework for security evaluation offer a methodology that enable the tester to put all those element in perspective trough the various phases of:
- Gathering intelligence on the target
- Conduct preliminary identification of services and applications
- Analysing potential vulnerabilities from the seven elements
- Exploiting those vulnerabilities
- Reporting formally on the process and findings
 
The certification program offered by Isecom is based on this methodology. I am in no way affiliated to this project or organisation but I favorably endorsed the approach and the certification program
 
Martin Dion, CISM
VP of Profesionnal Services
Above Security
 

        -----Original Message-----
        From: Peter Mercer [mailto:inom@ozemail.com.au]
        Sent: Thu 11/6/2003 5:19 PM
        To: 'Andrew Turner'; Penetration Testers
        Cc:
        Subject: RE: CEH and Intense School
        
        

        Hi Andrew,
        
        A few questions to find out about Ethical Hacking courses;
        
        Q-What's covered over the course
        Remember most courses are +- 4 - 5k, that's good money, make the sales
        man do his job and explain, ask for references from past attendees.
        
        Q-How many times has this course been delivered
        You want more than 4 to know the bugs are ironed out in labs and so on.
        
        Q-What equipment do I get to use.
        You don't want to be stuck with a p2 300 laptop with 64 megs.
        
        Q-How many and what do the lab consist of
        If it's a 5 day course you would want 4 - 5 labs of a reasonable
        duration and complexity (not just one box with Unicode) or it may be
        death by PPT
        
        Q-Do the labs have multiple OS and applications that need exploiting.
        Your there for as much experience as you can get
        
        Q-How old are the patch levels on the lab boxes
        If they are using NT4 sp 1 and Redhat 5.3 you are not going to learn
        stuff you can use a lot every day. That said even old exploits can teach
        you the mindset you need to use new exploits.
        
        Q-Is there a Firewalls involved in the lab.
        Once again you want experience, if the course developer has gone to the
        trouble to configs and design labs that have multiple technologies and
        made a hack that needs you to bounce around all of them, you can believe
        the course is well thought out.
        
        Q-In the course how much is different or not in the Hacking Exposed
        book. Foundstone have not only been writing books for years on hacking,
        that everybody consults at some stage but have also been teaching for as
        long or longer. So I would want to know how they differentiate
        themselves from other courses or what's is in the book. Remember the
        book only costs $50.
        
        
        Q-What tools do you use on the course and do I get a CDrom with them all
        on at the end of the course
        If they show you all the tools they have personally written and wont
        share them or the ones they use cost gazillions to buy that may limit
        how useful the course is.
        
        Q-how much time is spent on automated vulnerability scanners (AVS)
        Your not there to learn to point and click. AVS have there place but
        knowing how to do it yourself is why you are there.
        
        Q-What's for lunch
        
        Q-Is the t-shirt cool
        
        
        This is just a few questions I would ask.
        
        Kind regards
        Peter Mercer (look no alpherbet soup)
        92487000
        0419892600
        
        
        -----Original Message-----
        From: Andrew Turner [mailto:andrewhturner@yahoo.com]
        Sent: Thursday, November 06, 2003 12:47 AM
        To: pen-test@securityfocus.com
        Subject: CEH and Intense School
        
        Greetings,
        
        I am considering taking the Ethical Hacking course
        tought by Intense School. Has anyone had experience
        with this training program? If so, I would be very
        interested in hearing your comments on the program.
        
        Thanks in Advance!
        
        --
        Andrew H. Turner, CISSP
        
        
        __________________________________
        Do you Yahoo!?
        Protect your identity with Yahoo! Mail AddressGuard
        http://antispam.yahoo.com/whatsnewfree
        
        ------------------------------------------------------------------------
        ---
        Network with over 10,000 of the brightest minds in information security
        at the largest, most highly-anticipated industry event of the year.
        Don't miss RSA Conference 2004! Choose from over 200 class sessions and
        see demos from more than 250 industry vendors. If your job touches
        security, you need to be here. Learn more or register at
        http://www.securityfocus.com/sponsor/RSA_pen-test_031023
        and use priority code SF4.
        ------------------------------------------------------------------------
        ----
        
        
        
        ---------------------------------------------------------------------------
        Network with over 10,000 of the brightest minds in information security
        at the largest, most highly-anticipated industry event of the year.
        Don't miss RSA Conference 2004! Choose from over 200 class sessions and
        see demos from more than 250 industry vendors. If your job touches
        security, you need to be here. Learn more or register at
        http://www.securityfocus.com/sponsor/RSA_pen-test_031023
        and use priority code SF4.
        ----------------------------------------------------------------------------
        
        



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT