Security Basics mailing list archives
Re: Recommended training course?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 14 Jul 2008 11:53:41 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jimmy Liang wrote:
Hello, I?m looking at expanding my security knowledge and am looking for recommendations on training courses. I?ve had a few years of Windows and Solaris admin experience managing 30 or so 24/7 systems, and minimal web application development. I know the basic concept of SQL injection and CRLF injection, but wouldn?t know how to actually apply it in real life. I?ve been looking at the Foundstone courses, specifically, the ?Ultimate Hacking: Expert? course. This is mainly because the regular ?Ultimate Hacking? and ?Ultimate Web Hacking? courses are not offered in my area any time soon. I?m a little concerned that the course description says that advanced Unix and Windows knowledge is required? What does advanced mean? Anyone else have other recommendations on classes? I learn better with hands on labs and live instructors. I'm mainly looking for web application vulnerability but general system/wireless/network security would also be beneficial. Any recommendations is greatly appreciated.
Hi, Any type of 'pen testing' course requires a DETAILED understanding of: O/Ses (Windows, and *nix) administration, command line and scripting IP Protocol (TCP, UDP, ICMP, ARP, IP flags, IP fragmentation, etc.) Application Protocols (HTTP, SOL, SMTP, etc.) Some programming (understand stack, heap, etc.) Basic tools (nmap, netcat, nessus, dsniff, wireshark, etc.) When I say DETAILED, I **REALLY** mean detailed. The person that knows the most makes the best pen tester, and most courses are written assuming that you know that basics already. I do not know the Foundstone courses specifically, but Foundstone created the Hacking Exposed series of books. Before even considering a course in Web Hacking, I would get one of their basic books and one of their web hacking books. I would also download a couple of their 'HackMe' sites (bank, bookstore, etc.) and work with them. Until you are completely comfortable with both the books and the HackMe sites, I would not even consider an 'Expert' course. It will totally leave you in the dust. (Just from the nature of your question, I would have to judge that you probably do not have the required background for the courses you mentioned.) I have taught various penetration testing courses for about a decade now, and I can tell you from personal experience that only about half the students who take those courses have the required background. The ones without adequate background simply become overwhelmed the first day and feel like they are drinking from a dozen fire hoses at once. They pick up a few things here and there, but since they lack the basics, they are unable to acquire the skills they had hoped for. SANS has some basic courses, but they are not cheap. The CEH course is probably the most detailed, but a 5 day CEH course only covers the basics and you are left to learn the meat on your own. Foundstone has a reputation for good courses, but from what I understand, they are mostly not for beginners. If you want a true intro course, look into SensePost's Hacking by the Numbers Cadet Edition course at BlackHat -- I have heard nothing but good comments about it. (I did their Combat Training course last year -- best course I ever took.) You may learn best with hands-on labs and live instructors, but all courses assume a certain amount of prior knowledge and experience. Even at a basic level, there is too much background required to include the background basics in the course. Look at it from this perspective: Most hacking courses are like calculus, and you would not take a calculus course without algebra and trig, because that background would be assumed and not covered in the course. Bottom line: If you read a couple of the Hacking Exposed books and you think 'Okay, this is boring, I already know this stuff', then you are probably ready for a course. Until then, study the books and work some with some of the HackMe tools. You may also want to take a look at the OWASP WebGoat, too. Hone your skills before you spend your money on formal training. I hope this helps. Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkh7doUACgkQUVxQRc85QlPf3ACeMvk0qqZO4vE91aDT81bDgP+1 nUoAoImpR3ffEIjkdy4Pz70RZTbQ0mgd =rbt5 -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Recommended training course? Jimmy Liang (Jul 14)
- Re: Recommended training course? Ali, Saqib (Jul 14)
- Re: Recommended training course? Jon Kibler (Jul 14)