Next message: mea culpa: "[ISN] Introducing InfoSec Educators Mail List"
http://www.infoworld.com/cgi-bin/displayStat.pl?/careers/980727sem.htm
July 27, 1998
Seminar Critique
E&Y teaches the fine art of hacking at your site
By Stuart McClure
Walking into the Ernst & Young classroom, I expected a group of
stuffed-shirt prima donnas belching forth the latest rhetoric about
massive security problems within IT departments. Instead I got an
experienced group of down-to-earth security consultants who knew their
stuff inside and out.
The Ernst & Young Information Security Services group has put together a
class headed by George Kurtz, attack and penetration service line leader.
The instructors will come to your site to train 15 to 30 students; you may
be able to make other arrangements as well.
Ernst & Young's recipe for security is not a new one; Dan Farmer and
Wietse Venema published the white paper that started it all back in 1993:
"Improving the Security of Your Site by Breaking Into it." But although
the premise is the same, Ernst & Young's crack security team has taken it
to the next level.
Methodology is what separates this training from others. Ernst & Young's
Martin Dolphin and Eric Schultze have compiled a list of steps for
breaking into Windows NT systems that is in such demand they have a
wallet-size cheat sheet detailing each step. Their Unix cracking
methodology is equally detailed and includes all of the steps necessary
for the coveted root access.
The class teaches some comprehensive techniques on how to break into
Internet, intranet, extranet, and dial-in resources, as well as
reconnaissance, exploitation, and host vulnerability assessment.
The instructors did an excellent job covering all of the known techniques
for gathering information about a target, combining freeware and
commercial software such as pscan, nmap, Network Associates' CyberCop
Scanner (formerly Ballista), Internet Security Systems' Internet Scanner,
and more.
The instructors then showed how to gain administrator privileges. They
taught remote attacks such as spoofing, misdirected routing, buffer
overflows, and brute force attacks on services such as FTP, Telnet, Secure
Shell, Post Office Protocol, and the Unix r* services. Local attacks also
were covered.
We covered vulnerability assessment for only Unix and Windows NT systems,
but Ernst & Young will customize the contents to your company's needs,
including Novell, AS/400, and some mainframe systems.
Ernst & Young's security gurus also had some new techniques, such as
hijacking an NT machine with Virtual Network Computer remotely by using a
PalmPilot. Also, they have been able to take advantage of Paul Ashton's
hack of smbclient on Linux to accept NT hash values instead of passwords
to gain administrator access to an NT server. If this isn't making you
nervous, maybe you should check your pulse.
By far the most fun part of the class was three "capture the flag"
contests. The opportunity to put into practice all we had learned turned
the subdued class into a frenzied group of hacker wannabes. Cracking the
NT box and pilfering its resources seemed a trivial task after the
lecture. And even Unix systems were not immune.
The class is not a course on application or database security, nor does it
cover physical security. Instead what you get is a concentrated three days
of training on network and host security.
If you haven't already done so, now is the time to get serious about
security. This course will teach your staff to protect your corporate
jewels. You would be hard-pressed to find a more comprehensive and
real-world attack and penetration training class in the country.
InfoWorld Test Center Support Manager Stuart McClure
(stuart_mcclure�t_private) has managed information security for nine
years.
------------------------------
Course at a glance
Extreme Hacking -- The Art of Attack and Penetration
Ernst & Young LLP
Contact: George Kurtz, Hackensack, N.J.; (201) 836-5280;
george.kurtz�t_private
Price: Price: $15,000 to $25,000 for onsite staff training
Length: Two or three days
Locations: Classes are held at customer sites or Cleveland
training center.
Student placement: Ernst & Young can help you match
participants to the course when you set up the class.
Course content: Very solid. Covered all the basics, plus
some advanced cracking techniques.
Course materials: Three-ring binder of slides and pullouts,
plus a CD-ROM full of goodies.
Teaching method: Sixty percent lecture, 40 percent hands-on,
encouraging questions throughout.
Instructor: Knowledgeable, experienced, and helpful.
Setting: Good. Twenty to 30 people in a class with one
computer per student.
Overall value: Excellent
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:06:16 PDT