[ISN] E&Y Teaches fine art of hacking at your site

From: mea culpa (jerichot_private)
Date: Mon Oct 05 1998 - 14:45:45 PDT

  • Next message: mea culpa: "[ISN] Introducing InfoSec Educators Mail List"

    July 27, 1998
    Seminar Critique
    E&Y teaches the fine art of hacking at your site
    By Stuart McClure
    Walking into the Ernst & Young classroom, I expected a group of
    stuffed-shirt prima donnas belching forth the latest rhetoric about
    massive security problems within IT departments. Instead I got an
    experienced group of down-to-earth security consultants who knew their
    stuff inside and out.
    The Ernst & Young Information Security Services group has put together a
    class headed by George Kurtz, attack and penetration service line leader. 
    The instructors will come to your site to train 15 to 30 students; you may
    be able to make other arrangements as well.
    Ernst & Young's recipe for security is not a new one; Dan Farmer and
    Wietse Venema published the white paper that started it all back in 1993: 
    "Improving the Security of Your Site by Breaking Into it." But although
    the premise is the same, Ernst & Young's crack security team has taken it
    to the next level. 
    Methodology is what separates this training from others.  Ernst & Young's
    Martin Dolphin and Eric Schultze have compiled a list of steps for
    breaking into Windows NT systems that is in such demand they have a
    wallet-size cheat sheet detailing each step. Their Unix cracking
    methodology is equally detailed and includes all of the steps necessary
    for the coveted root access.
    The class teaches some comprehensive techniques on how to break into
    Internet, intranet, extranet, and dial-in resources, as well as
    reconnaissance, exploitation, and host vulnerability assessment.
    The instructors did an excellent job covering all of the known techniques
    for gathering information about a target, combining freeware and
    commercial software such as pscan, nmap, Network Associates' CyberCop
    Scanner (formerly Ballista), Internet Security Systems' Internet Scanner,
    and more.
    The instructors then showed how to gain administrator privileges. They
    taught remote attacks such as spoofing, misdirected routing, buffer
    overflows, and brute force attacks on services such as FTP, Telnet, Secure
    Shell, Post Office Protocol, and the Unix r* services. Local attacks also
    were covered.
    We covered vulnerability assessment for only Unix and Windows NT systems,
    but Ernst & Young will customize the contents to your company's needs,
    including Novell, AS/400, and some mainframe systems. 
    Ernst & Young's security gurus also had some new techniques, such as
    hijacking an NT machine with Virtual Network Computer remotely by using a
    PalmPilot. Also, they have been able to take advantage of Paul Ashton's
    hack of smbclient on Linux to accept NT hash values instead of passwords
    to gain administrator access to an NT server. If this isn't making you
    nervous, maybe you should check your pulse.
    By far the most fun part of the class was three "capture the flag" 
    contests. The opportunity to put into practice all we had learned turned
    the subdued class into a frenzied group of hacker wannabes. Cracking the
    NT box and pilfering its resources seemed a trivial task after the
    lecture. And even Unix systems were not immune.
    The class is not a course on application or database security, nor does it
    cover physical security. Instead what you get is a concentrated three days
    of training on network and host security. 
    If you haven't already done so, now is the time to get serious about
    security. This course will teach your staff to protect your corporate
    jewels. You would be hard-pressed to find a more comprehensive and
    real-world attack and penetration training class in the country.
    InfoWorld Test Center Support Manager Stuart McClure
    (stuart_mccluret_private) has managed information security for nine
    Course at a glance
    Extreme Hacking -- The Art of Attack and Penetration
    Ernst & Young LLP
    Contact: George Kurtz, Hackensack, N.J.; (201) 836-5280;
    Price: Price: $15,000 to $25,000 for onsite staff training
    Length: Two or three days
    Locations: Classes are held at customer sites or Cleveland
    training center.
    Student placement: Ernst & Young can help you match
    participants to the course when you set up the class.
    Course content: Very solid. Covered all the basics, plus
    some advanced cracking techniques.
    Course materials: Three-ring binder of slides and pullouts,
    plus a CD-ROM full of goodies.
    Teaching method: Sixty percent lecture, 40 percent hands-on,
    encouraging questions throughout.
    Instructor: Knowledgeable, experienced, and helpful.
    Setting: Good. Twenty to 30 people in a class with one
    computer per student.
    Overall value: Excellent
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:16 PDT