Penetration Testing mailing list archives
RE: Ethical Hacking Training
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 20 Jan 2004 15:24:14 -0800
<all opinions are my own and in no way reflect the views of my employer> There is one point that I haven't seen mentioned yet in this discussion (though I may have missed it). Whether you think all your information security officers/consultants/technologists/wizards/priests should know how to write buffer overflows or not, a one-week "hacking course" isn't going to teach them that. Years of experience as a programmer and system administrator may give them the background to be effective at it but all you are going to get from a one-week course is a review of the current tools and a glorified script-kiddie. People talk about knowing "how to hack" but that's a really big area. Do you mean having some general experience thinking like an attacker? Or do you mean you want someone with experience writing Assembly for overflows? Or writing SQL for insertion attacks? Or do you want someone who can social engineer their way into anywhere? It may be harder to write a buffer overflow than to manage a firewall but I'd argue that it's much harder to develop a complete information security approach that is balanced and feasible for a company than it is to enumerate a system, find a vulnerability and exploit it. And it's much harder to teach the first task than the second. toby -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Tuesday, January 20, 2004 10:47 AM Subject: RE: Ethical Hacking Training As much as I think that it's valuable for security personnel to know how their attackers think and operate, I think this particular analogy is flawed. Hacking is not part of the job, necessarily, any more than flying is part of the programmers job in this example. I have known many excellent security officers who couldn't run an exploit (and never had), but who really knew their stuff and put it to use in real-world environments. It is possible to know how to defend a network without knowing the details of how to break into it; you're defending against concepts, not keystrokes.
-----Original Message----- From: Tim,,, [mailto:tim () spang org] On Behalf Of Tim Gurney Sent: Monday, January 19, 2004 5:10 PM Subject: Re: Ethical Hacking Training Mostly i lurk on thsi list, this this is a topic i feel strongly about. Let me give you an example, would you employ someone to write code for a real time fly by wire system who had no experience of doing it ? NO! So why employ a security officer who has no idea how to hack. If you dont know how to do it, you wont know how others do it and you wont know how to stop it. you need to have "played the game" to know where to look, and how to read between the lines and have contacts in the underground groups. Yes i am speaking from experience, i am a free lanse security consultant, and i have played the other side of the fence while at uni, and i dont trust any security specialist who hasnt done the same.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Ethical Hacking Training, (continued)
- RE: Ethical Hacking Training Kurt (Jan 20)
- Re: Ethical Hacking Training Don Parker (Jan 19)
- Re: Ethical Hacking Training Kevin Johnson (Jan 20)
- RE: Ethical Hacking Training Don Parker (Jan 19)
- RE: Ethical Hacking Training S. Thomas (Jan 20)
- RE: Ethical Hacking Training DeGennaro, Gregory (Jan 20)
- Re: Ethical Hacking Training Hamish webhosting.net.nz (Jan 20)
- Ethical Hacking Training Daryl Davis (Jan 20)
- Re: Ethical Hacking Training Jeff Shawgo (Jan 20)
- Re: Ethical Hacking Training Chris Kirschke (Jan 20)
- RE: Ethical Hacking Training Kohlenberg, Toby (Jan 20)
- RE: Ethical Hacking Training Don Parker (Jan 20)