I have been giving some very rewarding trainings in the past few weeks. I want to publicly thank all the attendants. I truly enjoyed both experiences. I was blessed with very knowledgeable and motivated participants which turned the classes into enjoyable peer-to-peer experiences instead of hours of monologue in front of people clearly absent minded.
I lead two very different courses. The first was aimed at the internal IT staff of a company who are not exactly in the computer business, but whose business is very dependent on computers and who are very concerned about their IT administrators performance. I believe we had a full hand of application, system and network administrators participating.
I did my Security by OSI Layers -course for them which goes through the entire Open Systems Interconnection (OSI) model talking about the threats past and present affecting each layer. I find the OSI model to be very convenient actually for this type of generic computer security trainings. Gives them structure.
As usual we spent good part of the course reviewing the application layer security, but finally there is a lot to talk about on each layer. The layered approach allows me also to inject some history of hacking in to the course and thus illustrate the progress of the game and some of the original reasoning behind the concepts like Public Key Infrastructure (PKI) and such computer security mechanisms nowadays often taken for granted.
We obviously also covered various mitigation techniques and defensive measures against the reviewed threats. With this type of course it is relatively easy to provide concrete additional value to the customer as the example material can be all drawn from the real life customer environment as we did now. In this particular case all our course exercises were actually related to assessing and hardening their own environment.
The other course I did was a bit different and somewhat more theoretic. It was for a group of junior members of a Computer Security Incident Response Team (CSIRT). People who have been working from zero to few years responding to corporate computer security incidents and IDS alerts. The course was built around the CompTIA Security+ certification as passing the exam was one of the internal requirements for a senior seat in the team.
I personally find the Security+ exam to serve perfect for this type of junior agent graduation. These people often do not possess the full five years of work experience needed for the (ISC)2 CISSP exam, so the CompTIA alternative serves them well. While consisting of only six knowledge domains, the Security+ manages in my opinion to test the applicants knowledge of the fundamentals rather well.
On both courses we also had a little isolated lab environment for some hands on exercises. I find this essential. Many of the central concepts related to computer security are challenging to teach by word only. Check the original buffer overflow article by Aleph One for proof. While it is extremely important to understand the science behind the security vulnerabilities and computer attacks, I find it equally essential to have hands on experience on launching such attacks, witnessing them happening and examining the results of an successful attack. Especially to the system and network administrators who are not maybe directly involved with computer security research, but very much affected by it.
Central point in our little labs was the Metasploitable server image [torrent] recently released by the good man HD Moore and his associates. It is an extremely vulnerable Ubuntu 8.04 server that comes with various expired versions of applications and servers, with weak account credentials and multiple configuration flaws by default. Happy trainer toy for demonstrating what is this thing called computer compromise. Big up Metasploit crew once again.
Check the Metasploit blog post linked above to get started with the image, but I encourage you to explore also. There is much, much more insecurity to be found beyond the few attacks outlined in the post. Good for brute-force exercises also. We were not actually able to break into the root account during the course, but we did get root in later attack stages with some privilege escalation exploitation. Lots of fun included.
We attacked the Metasploitable server with various BackTrack 4 systems. Another reason to give thanks and praise, but this time to the Offensive Security crew. I am sure you are aware of the BackTrack distro by now, so I only testify that it is very suitable for training lab use also.
There has been some major changes in the BackTrack version 4 by the way. BackTrack is now based on Debian. I find it only nice to have the Advanced Packaging Tool (APT) handling the update and install procedures among some other things now included as well. The BackTrack 4 comes to the network very quiet. Seems like the network interfaces are disabled by default and not even the DHCP client run automatically. You have to therefore run ifup eth0 (or whatever your connected interface may be) to enable the interface and run dhclient to get the DHCP configuration manually from the server, which in our case was the Metasploitable server.
So...I am available for trainings : ) Feel free to contact me by email for any queries regarding the courses I am able to lead. I am willing to create some custom courses also aimed at very specific audiences as in web application developers or IDS incident handlers for example, if needed.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment