Penetration Testing mailing list archives

Re: Ethical Hacking Training


From: "Hamish webhosting.net.nz" <koremeltdown () hotmail com>
Date: Tue, 20 Jan 2004 03:07:52 +0000

Greetings James, Gregory and the rest of the group,

Nothing against the (respected) posters, but I tend to disagree that "know your enemy" is a bad statement... Infact I believe it to be probibly the best statement - know your job is only a small part of being a security expert. To give your client base a fighting edge against real hackers (and face it, not all of them out there are script kiddies, there are guys out there smarter than a lot of us) you must understand several things; these being:

* The mindset of a hacker (yes, there are several similarities most hackers & even script kiddies share)

* Changing trends & methods in how real hackers "hack"

* Different hacker groups, connections and specialist skills (most hacking clans will specialise in one particular type of service/os etc, and may even hack in unique steps or processes)

* We as security experts must attempt to our very best to be aware of security threats before they are "real threats" over the internet - that is where the real danger lies with a lot of intrusions as I am increasingly finding. This means that to retain a distinct advantage over hackers and competing companies it is advantagous to become "part of the underground" (how in-depth you delve is your business) and know exactly what your enemy is capable of - otherwise we are as good as al queda is in the mountains, we are just waiting to be struct down.

As I realise that many here are a lot more experienced and knowledgeable members of this group than I am, feel free to comment/correct me on any of my statements :)

Kindest of regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security / Absolute Web Hosting
Owner/Operator
Auckland, New Zealand

http://www.koreworks.com/
http://www.webhosting.net.nz/
http://www.buywebhosting.co.nz/





From: "Meritt James" <meritt_james () bah com>
To: "DeGennaro Gregory" <Gregory_DeGennaro () csaa com>
CC: "Teicher Mark (Mark)" <teicher () avaya com>,Rob Shein <shoten () starpower net>,"Andy Cuff [Talisker]" <lists () securitywizardry com>,pen-test () securityfocus com
Subject: Re: Ethical Hacking Training
Date: Mon, 19 Jan 2004 13:06:22 -0500
MIME-Version: 1.0
Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc9-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Mon, 19 Jan 2004 17:58:51 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 0C308A322B; Mon, 19 Jan 2004 14:46:20 -0700 (MST)
Received: (qmail 6082 invoked from network); 19 Jan 2004 18:29:14 -0000
X-Message-Info: JGTYoYF78jHcoYaI71uszeCgzM6KDEBt
Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test () securityfocus com>
List-Help: <mailto:pen-test-help () securityfocus com>
List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
Delivered-To: mailing list pen-test () securityfocus com
Delivered-To: moderator for pen-test () securityfocus com
Message-ID: <400C1C9E.314B1FED () bah com>
Organization: Booz Allen Hamilton
X-Mailer: Mozilla 4.78 [en]C-CCK-MCD   (Windows NT 5.0; U)
X-Accept-Language: en
References: <F97F7F0DF168D6119C470008023E37100A33A4FE@CSSMCMNT08>
Return-Path: pen-test-return-4368-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 20 Jan 2004 01:58:51.0898 (UTC) FILETIME=[F3BC85A0:01C3DEF8]

Here we go again.  I believe that those skills necessary to build a
building are different than those to demolish a building.  There are
construction engineers and there are demolition experts.  Different
things.  And the skills to fix a car engine are not those necessary to
vandalize one.  "Know your enemy" is nice, "know your job" is, in my
opinion, better.

"DeGennaro, Gregory" wrote:
>
> Very good statement and you do need to know your enemy.
>
> Just because you're a police officer, soldier, or in our case, information > security engineers, does not mean you or I really know our enemy and their
> full or potential capabilities.
>
> Ethical hacking gives us an overview or lets us peer into the cracker's
> world.  Of course, the classes do not have the latest cracks unless they
> have a honey pot running and receiving such traffic. Nor, does it make us
> crackers.  It is only a look see and not cracker training.
>
> Ethical Hacking is really a coin term for the public and those who do not > know the difference between hacker, wacker, and cracker. The public only > knows or thinks they know what a hacker is. In reality, they have no clue
> that a hacker is good and the other two are not.
>
> Also, how do you propose a professional runs pen and vuln tests against
> their network to secure holes in their fortifications?  There are good
> products on in the market; however not everyone can afford them, use them
> properly, or the software or device is not totally up to date or catches
> everything.
>
> Regards,
>
> Greg DeGennaro Jr., CCNP
> Security Analyst
>
> -----Original Message-----
> From: Teicher, Mark (Mark) [mailto:teicher () avaya com]
> Sent: Friday, January 16, 2004 7:10 PM
> To: Rob Shein; Andy Cuff [Talisker]; pen-test () securityfocus com
> Subject: RE: Ethical Hacking Training
>
> Talisker,
>
> I still have an issue with the term "Ethical hacking"  It was a term
> born out of the Big Six when they were trying build their security
> practices and leverage their existing client base.  I still feel the
> term is somewhat of slant on those who practice "holistic security" and
> actually attempt to help customers improve their network security
> posture instead of pointing out the "glaring" hole that those who
> practice "Ethical Hacking" like to do.
>
> I have worked in the past with those who preach and teach "Ethical
> Hacking" Many of those people have published books exploiting that exact
> theme.
>
> Why not spend the time in researching how to correct security exploits
> in enforcing secure coding standards and forcing vendors to clean up
> their act and making their products work more efficiently and securely.
>
> /mark
>
> --------------------------------------------------------------------------- > ----------------------------------------------------------------------------

--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
----------------------------------------------------------------------------


_________________________________________________________________
Check out the new MSN 9 Dial-up — fast & reliable Internet access with prime features! http://join.msn.com/?pgmarket=en-us&page=dialup/home&ST=1


---------------------------------------------------------------------------
----------------------------------------------------------------------------


Current thread: