Re: Ethical Hacking Training

From: Hamish webhosting.net.nz (koremeltdown@hotmail.com)
Date: Mon Jan 19 2004 - 22:07:52 EST

• Next message: Kurt: "RE: Ethical Hacking Training"
• Previous message: S. Thomas: "RE: Ethical Hacking Training"
• Maybe in reply to: Daryl Davis: "Ethical Hacking Training"
• Next in thread: Jeff Shawgo: "Re: Ethical Hacking Training"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Greetings James, Gregory and the rest of the group,

Nothing against the (respected) posters, but I tend to disagree that "know
your enemy" is a bad statement... Infact I believe it to be probibly the
best statement - know your job is only a small part of being a security
expert.
To give your client base a fighting edge against real hackers (and face it,
not all of them out there are script kiddies, there are guys out there
smarter than a lot of us) you must understand several things; these being:

* The mindset of a hacker (yes, there are several similarities most hackers
& even script kiddies share)

* Changing trends & methods in how real hackers "hack"

* Different hacker groups, connections and specialist skills (most hacking
clans will specialise in one particular type of service/os etc, and may even
hack in unique steps or processes)

* We as security experts must attempt to our very best to be aware of
security threats before they are "real threats" over the internet - that is
where the real danger lies with a lot of intrusions as I am increasingly
finding. This means that to retain a distinct advantage over hackers and
competing companies it is advantagous to become "part of the underground"
(how in-depth you delve is your business) and know exactly what your enemy
is capable of - otherwise we are as good as al queda is in the mountains, we
are just waiting to be struct down.

As I realise that many here are a lot more experienced and knowledgeable
members of this group than I am, feel free to comment/correct me on any of
my statements :)

Kindest of regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security / Absolute Web Hosting
Owner/Operator
Auckland, New Zealand

http://www.koreworks.com/
http://www.webhosting.net.nz/
http://www.buywebhosting.co.nz/

>From: "Meritt James" <meritt_james@bah.com>
>To: "DeGennaro Gregory" <Gregory_DeGennaro@csaa.com>
>CC: "Teicher Mark (Mark)" <teicher@avaya.com>,Rob Shein
><shoten@starpower.net>,"Andy Cuff [Talisker]"
><lists@securitywizardry.com>,pen-test@securityfocus.com
>Subject: Re: Ethical Hacking Training
>Date: Mon, 19 Jan 2004 13:06:22 -0500
>MIME-Version: 1.0
>Received: from outgoing3.securityfocus.com ([205.206.231.27]) by
>mc9-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Mon, 19 Jan 2004
>17:58:51 -0800
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid
>0C308A322B; Mon, 19 Jan 2004 14:46:20 -0700 (MST)
>Received: (qmail 6082 invoked from network); 19 Jan 2004 18:29:14 -0000
>X-Message-Info: JGTYoYF78jHcoYaI71uszeCgzM6KDEBt
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Message-ID: <400C1C9E.314B1FED@bah.com>
>Organization: Booz Allen Hamilton
>X-Mailer: Mozilla 4.78 [en]C-CCK-MCD (Windows NT 5.0; U)
>X-Accept-Language: en
>References: <F97F7F0DF168D6119C470008023E37100A33A4FE@CSSMCMNT08>
>Return-Path:
>pen-test-return-4368-koremeltdown=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 20 Jan 2004 01:58:51.0898 (UTC)
>FILETIME=[F3BC85A0:01C3DEF8]
>
>Here we go again. I believe that those skills necessary to build a
>building are different than those to demolish a building. There are
>construction engineers and there are demolition experts. Different
>things. And the skills to fix a car engine are not those necessary to
>vandalize one. "Know your enemy" is nice, "know your job" is, in my
>opinion, better.
>
>"DeGennaro, Gregory" wrote:
> >
> > Very good statement and you do need to know your enemy.
> >
> > Just because you're a police officer, soldier, or in our case,
>information
> > security engineers, does not mean you or I really know our enemy and
>their
> > full or potential capabilities.
> >
> > Ethical hacking gives us an overview or lets us peer into the cracker's
> > world. Of course, the classes do not have the latest cracks unless they
> > have a honey pot running and receiving such traffic. Nor, does it make
>us
> > crackers. It is only a look see and not cracker training.
> >
> > Ethical Hacking is really a coin term for the public and those who do
>not
> > know the difference between hacker, wacker, and cracker. The public
>only
> > knows or thinks they know what a hacker is. In reality, they have no
>clue
> > that a hacker is good and the other two are not.
> >
> > Also, how do you propose a professional runs pen and vuln tests against
> > their network to secure holes in their fortifications? There are good
> > products on in the market; however not everyone can afford them, use
>them
> > properly, or the software or device is not totally up to date or catches
> > everything.
> >
> > Regards,
> >
> > Greg DeGennaro Jr., CCNP
> > Security Analyst
> >
> > -----Original Message-----
> > From: Teicher, Mark (Mark) [mailto:teicher@avaya.com]
> > Sent: Friday, January 16, 2004 7:10 PM
> > To: Rob Shein; Andy Cuff [Talisker]; pen-test@securityfocus.com
> > Subject: RE: Ethical Hacking Training
> >
> > Talisker,
> >
> > I still have an issue with the term "Ethical hacking" It was a term
> > born out of the Big Six when they were trying build their security
> > practices and leverage their existing client base. I still feel the
> > term is somewhat of slant on those who practice "holistic security" and
> > actually attempt to help customers improve their network security
> > posture instead of pointing out the "glaring" hole that those who
> > practice "Ethical Hacking" like to do.
> >
> > I have worked in the past with those who preach and teach "Ethical
> > Hacking" Many of those people have published books exploiting that exact
> > theme.
> >
> > Why not spend the time in researching how to correct security exploits
> > in enforcing secure coding standards and forcing vendors to clean up
> > their act and making their products work more efficiently and securely.
> >
> > /mark
> >
> >
>---------------------------------------------------------------------------
> >
>----------------------------------------------------------------------------
>
>--
>James W. Meritt CISSP, CISA
>Booz | Allen | Hamilton
>phone: (410) 684-6566
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>

_________________________________________________________________
Check out the new MSN 9 Dial-up — fast & reliable Internet access with prime
features! http://join.msn.com/?pgmarket=en-us&page=dialup/home&ST=1

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Kurt: "RE: Ethical Hacking Training"
• Previous message: S. Thomas: "RE: Ethical Hacking Training"
• Maybe in reply to: Daryl Davis: "Ethical Hacking Training"
• Next in thread: Jeff Shawgo: "Re: Ethical Hacking Training"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT