Re: Graduate CS Pen Testing Class

[Fredrik Strömberg <stromberg () insto org>]

Hi Wesley,

I´m teaching a course for undergrads called "IT-security systems and
risk analysis". It´s the last course the second year in an IT
forensics/security bachelor, and they have limited programming
experience. Our courses are obviously geared towards different groups,
but I thought I should share anyway.

I try to teach what Scott talks about (A->Z, the hacking mindset)
through personal anecdotes and example after example on how you can
use systems in ways not intended, in every lecture, in line with
whatever subject I happen to talk about. IP over DNS and the (joke)
sql injection in the swedish election are personal favorites because
they work well for giving "Oh, I´d never have thought of
that"-moments. Sanitizing inputs is obviously a big thing, so that´s
something I come back to as often as I can, to show them that people
have almost never thought of all ways in. These examples are often
from a real intrusion, so it´s very obvious to them that this actually
exists in the wild. It also makes it easier for them to connect and
remember.

As for the practical part of the course I use virtual machines. One
attacker (with e.g. Metasploit) and one or more hackable machines -
not just double-click->pwn but hack from one machine to the next, some
local privilege escalation, maybe extract something from a database.

If you´re teaching general pen testing, don´t forget to include
lectures and exercises on web security.


Kind regards,
Fredrik Strömberg

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------