Tag Archives: InfoSec

“Hacker Techniques, Exploits & Incident Handling” :: A Review ::

As I mentioned in my last post, I just finished the SANS Sec 504 Class: Hacker Techniques, Exploits & Incident Handling.  As with my previous 2 SANS classes, I took it over 4 months, using SANS OnDemand, which allows me to take the class online, at my own pace.  The teacher was the well known Ed Skoudis of Counter Hack fame.


The only negatives I have about this class is the same as the last two OnDemand classes I’ve taken:  The layout of the OnDemand system–Let me quote from my previous OnDemand review:

“Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace.  I have to say that I really like this format, but I do have to say that the OnDemand interface is not the most intuitive.  Check out CERT’s VTE for Intuitive.”



Ed Skoudis is a great teacher, though he does tend to talk really, really fast when he gets passionate, which he usually was, at least in this particular class.



The class was divided into two basic sections:  Incident Handling and Hacker Techniques and Exploits.

The first section, Incident Handling, delved into the topic of “how to handle an Incident,” which is defined as, “the action or plan for dealing with intrusions, cyber-theft, denial of service, and other computer security-related events.”

The second section, Hacker Techniques and Exploits, went into an extended technical discussion on the phases of an attack, and what sort of vulnerabilities an intruder exploits to take control of a system / network.

Some of the topics included:

-ARP Cache Poisoning and DNS Injection

-Buffer Overflows in Depth

-Format String Attacks

-Kernel-level Rootkits

-Using Fragroute, Fragrouter and Whisker IDS Evasion Tactics

-And alot more of the same type stuff.

I found this portion of the class to be my favorite.  We got very nitty-gritty technical, and yet it was very practical.

Overall, I would have to give the content a very high rating.  Though the content was current, it probably was not cutting edge.

Final thoughts:

I found this class to be a great very technical, yet very practical discussion on this whole topic of Incident Handling and “hacker” techniques.

A side note: Bejtlich had an interesting discussion on how SANS defines Incident Handling/Response, and SEC 504. Check out http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html for the post.


Tagged , ,

Aced the GIAC Certified Incident Handler (GCIH) Exam…

Well, I just got back from Charleston, where I had my GCIH exam this morning. 

I was pleasently suprised to find that it turned out to be fairly easy–It probably helped that I have spent the past 4 months studying through the SANS class associated with the GCIH.  After a little under an hour and a half, I finished the exam, with a 96%. 

With two silver certifications out of the way, I now need to complete the two accompaning Gold papers, to apply for the Master’s program.

In an upcoming post, I will review the SANS class I just finished (SEC 504).


Tagged , , ,

System & Network Administrator /= Security Administrator

A section of a book that I have been reading (Protect Your Windows Network From Perimeter to Data by Johansson & Riley) really made me sit and think, especially since it is so personally applicable to where I am, and the organization I am with is at.  Let me just quote it for you, and let you think on it:  (I have sourced it from a sample chapter available online, found here.)

System Administrator – Security Administrator

“Making system or network administrators manage security is counterproductive; those job categories then would have conflicting incentives. As a system or network administrator, your job should be to make systems work, make the technology function without users having to think about it, making the technology transparent. As a security administrator, your job is to put up barriers to prevent people from transparently accessing things they should not. Trying to please both masters at the same time is extremely difficult. Dr. Jekyll/Mr. Hyde may succeed at it (for a time at least), but for the rest of us, it is a huge challenge. The things that will get you a good performance review in one area are exactly what will cost points in the other area. This can be an issue today because many who manage infosec are network or system administrators who are also part-time security administrators. Ideally, a security administrator should be someone who understands system and network administration, but whose job it is to think about security first, and usability/usefulness second. This person would need to work closely with the network/system administrator, and obviously the two roles must be staffed by people who can work together. However, conflict is a necessity in the intersection between security and usability/usefulness. Chances are that only by having two people with different objectives will you be able to find the optimal location on the continuum between security and usability/usefulness for your environment.”


Tagged , ,

Book Review of “Tao of Network Security Monitoring”

The Tao of Network Security Monitoring: Beyond Intrusion Detection was my first Information Security book that I read.  The author, Richard Bejtlich , has authored a few other books that I hope to read soon.  As for Tao, I have found it to be an absolutely fascinating book on InfoSec.

The author starts out by laying the groundwork of Risk Management, and how risk, threats, vulnerabilities and exploits are defined and used in the real world.

The author then makes this statement:

Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.” No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don’t know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run.”

With this kind of outlook on security, the author puts forth the concept of a “defensible” network: a network that can easily watched (monitored); a network that limits an intruder’s freedom to maneuver; a network that offers a minimum of services; and finally, a network that can be kept current.

With this foundation laid, the author delves into “Network Security Monitoring” which is defined as “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.”  The rest of the book deals with the practical aspects of NSM: how to setup and use programs to collect NSM data; Best Practices; Case Studies; managing a NSM program; and finally, tactics on attacking NSM, and ways to mitigate these risks.

I have found this book to be very helpful in bringing balance to my understanding of how Intrusion Detection fits into an InfoSec program.  I will follow up on this thought in my next post.

I would highly recommend this book to anyone interested in going deeper into InfoSec, especially dealing with Intrusion Detection Systems.  It does have quite a bit of BSD-centric material, of which I skipped over alot of, but still very useful principles.

I hate to give my first book review a 10 out of 10, but any less would not do it justice.


Tagged , ,