RE: Security Evaluation Project

["Clayton T. Dillard" <cdillard () securespeed cc>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald,
        Might I suggest that you leave your fears behind and rely on your
education to guide you through the often tricky world of information
security and assurance - auditing, VA, Pen-testing, etc.

It seems like you need to get your hands on a platform that will
allow you to use and learn about security tools.  Speaking
personally, this is the best way to learn (on a test network of
course).

A good all around tool that should help you understand many of the
popular exploits and security tools available today can be found in
Knoppix-STD.  STD is the Security Tools Distribution of the popular
Knoppix "live-cd".  Once you download Knoppix-STD, read as much as
you can about the included tools, find a test network that you have
permission to use and then begin using the tools on target systems. 
This is your best bet for learning quickly, IMHO.

Good luck on your project and thank you sincerely for serving in law
enforcement!

Best Regards,
Clayton T. Dillard, GSEC MCP
Chief Executive Officer
SECURESPEED, LLC
http://www.securespeed.cc
"Information Assurance & Security"


- -----Original Message-----
From: Donald Gerkin [mailto:dgerki1 () towson edu] 
Sent: Tuesday, February 03, 2004 12:14 PM
To: security-basics () securityfocus com
Subject: Security Evaluation Project


Greetings to all:

I've been an avid reader of the list for quite sometime now, and I am
continually impressed by the level of expertise and willingness to
help. It 
is now my turn to ask the masses for their opinions and insight.

In a nutshell:

I am in my last semester in an Applied Information Technology program
(A MS 
degree). My concentration is Information Security and Assurance. I am
a 
detective for the Baltimore (MD) police department. I have a fairly
decent 
background as it relates to engineering and technology. My biggest
issue is 
that my graduate program isn't very "hands-on." The theory I have
learned is 
great, and I truly believe I am 1000 times the security practitioner
I ever 
was, but it is in theory. Sit me in front of a unix or linux system
and I 
would give you my best dumb look and blank stare. So the hands-on,
nitty 
gritty dirty experience is what I sorely lack. I am faithful that it
will 
come in time. 

For my project, I chose to perform a security audit of the Baltimore
Police 
Department's network security and information infrastructure. It
transcends 
nicely away from the traditional for-profit corporation eveluations
and even 
has that catchy "homeland security" considerations.

Part of the project will involve physical security evaluations and 
recommendations, policy evaluation, and studying past failures. So
far, so 
good for me. I also want to get involved with a moderate amount of
pen 
testing, and possible "war-driving" in the traditonal sense to
evaluate the 
network, and wireless systems respectively. Not so good for me
here... 
Again, in theory I can do it all day, but I am sorely lacking in
experience.

So.... what is is that I ask? Advice, links to resources, and even
war 
stories from those who may have done this before, regardless of the
forum. 
Any help from an email with a ton of links and resources to one
telling me I 
am completely out of my mind are truly welcomed! Pardon the long
e-mail, and 
feel free to contact me off list! 

Rick, I know you're still lurking out there in this list, so I fully
expect 
an e-mail from you nagging me about going to linux!

Thanks to all and regards,

Donald Gerkin
dgerki1 () towson edu

- ----------------------------------------------------------------------
- -----
Ethical Hacking at InfoSec Institute. Mention this ad and get $720
off any 
course! All of our class sizes are guaranteed to be 10 students or
less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQCJrVIFuGAwX2rmNEQI/kgCg2vP8W2FKLbMVDxvrnuVv1lyOTWQAn3Lq
tXtog1vOdpP89Iusm0NOvfML
=BLct
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------