Penetration Testing mailing list archives
RE: Pen Testing for investigators
From: "Craig Wright" <cwright () bdosyd com au>
Date: Wed, 21 Sep 2005 07:40:11 +1000
I agree fully There is no place in law enforcement or investigation for pen testing Police are not trained in murder to stop it Police training does not include the use of lock picks, arson or fraud *** NO *** 5 day course will "teach you to think like a hacker". A D. Phycology will rarely do this. Lots of people make lots of money training pen testers. I am not stating that there is no place for vulnerability tests, but that they are generally flawed in delivery and should be a part of a larger project The premise that you must be a thief to catch a thief is fundamentally flawed Craig -----Original Message----- From: Security Professional [mailto:redteamer () gmail com] Sent: 20 September 2005 10:32 To: pen-test () securityfocus com Cc: ish () dolphtech com Subject: Re: Pen Testing for investigators Ish, I changed the subject in my response because to be honest, I don't think investigators, law enforcement officers, and the like need to focus as much on pen testing, as they do with forensic analysis (hardware and network), Intrusion analysis, law, etc. Traditionally, pen testing is left to a whole other group. That being said, it is still somewhat understandable that you would still want to provide an overview of pen testing to broaden horizons. So, here is my opinion on a few courses and classes (most of which I have taken and recommend): 1) Intrusion Detection Training and Packet Analysis - This to me is one of the most important pieces of training if you are in the field of incident handling or intrusion detection. To me, there is one class which stands up above the rest and that is the SANS Track 3 course. Now, opinions aside on what they have done recently with the certification (GCIA) requirements, this class is one of the most intense courses I have gone through. The amount of packet level analysis and IDS analysis that you do will make your head hurt. I highly recommend this class to everyone I meet. 2) Forensic Analysis (Hardware) - Since we are mostly an Encase shop, I can only speak about Encase training. I do know that SANS also offers a Forensics course (I think it is Track 8), but I have not been so I cannot speak on that one. That being said, I would go to whatever vendor you decide to use for software, and ask them for training. This is probably your best best for understanding the software that your guys will be using in the field. Sorry, not a lot of help here on this one. 3) Malcode analysis - I don't know if you guys will be getting into this, but if you are, there are two options I would suggest here. One is a SANS certification called GREM ( http://www.giac.org/certifications/security/grem.php). A few of my colleagues have gotten this certification and it seems to have helped them a great deal. Also, if you are looking for a cheaper alternative to this, you can do what many of us have done and train yourself. Quite honestly, the best way I feel to learn how different malcode works / operates is to play with it yourself. Get yourself a copy of regmon, filemon, Tripwire, etc., and set up a little test LAN with a router and simulate a normal network environment. Run the code, analyze the packets, look at what registry settings are changed, see what files are created, changed, or accessed, and you will be well on your way. Please keep in mind that this is a very technically oriented job duty and is not for the everyday Joe just wanting to dabble. 4) Pen Testing - This is what your original question was asking for, but as I stated earlier, I don't know if you really understand what you were asking (please take no offense...this is just my opinion). Pen Testing and classes that supposedly teach it have become all the rage lately and quite frankly, I have yet to see a class that truly teaches someone how to be a Pen Tester. That being said, there are a few courses out there that will allow your guys to get their feet wet and get a base knowledge if that is what you are looking for. The best Intro course I have attended to date was the CEH class (Certified Ethical Hacker). This class does not delve deep into the advanced techniques, but does provide a broad sweep and understanding into how a Pen Test is performed and the every day tools used in the process. Also, I recently attended NSA's IAM and IEM courses which in my opinion, give a nice overall view on a methodology to use when doing an evaluation. Also, ISECOM offers two classes based on the OSTMM that teach a somewhat different methodology. Again, please keep in mind that it is somewhat not the norm when you use the words Law Enforcement Officer, Forensics Analyst, and Pen Tester in the same sentence. These are usually three, at the least two, completely separate job functions that are performed within an organization. I have yet to stumble across an employer who wants their badge waivers to also be Pen Testers, Intrusion Analysts, and Forensics Analysts at the same time (at least in the Govt. side of things). I hope this helps you out a bit. Everyone has their own opinions on all these courses and subject matter, so please take this as an OPINION and nothing more. In no way am I saying that this is the path you should follow. Take care. - Brian Bartholomew ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pen Testing for investigators J Isherwood (Sep 19)
- <Possible follow-ups>
- Re: Pen Testing for investigators Don Parker (Sep 19)
- Re: Pen Testing for investigators Security Professional (Sep 20)
- Re: Pen Testing for investigators eutaw_uass (Sep 20)
- RE: Pen Testing for investigators Craig Wright (Sep 21)
- Looking for HP Laserjet emulator Max (Sep 27)